No Runny Eggs

The repository of one hard-boiled egg from the south suburbs of Milwaukee, Wisconsin (and the occassional guest-blogger). The ramblings within may or may not offend, shock and awe you, but they are what I (or my guest-bloggers) think.

Archive for September 21st, 2010

Twitter/JavaScript exploit

by @ 8:27. Filed under Miscellaneous.

Revisions/extensions (8:44 am 9/21/2010) – Had to change the second recommendation because Internet Explorer automatically disallows cookies on sites put in the “Restricted Zone”. Fortunately, the mobile version of Twitter is unaffected, and can be accessed by actual computers.

TechCrunch reports that there is an exploit going on with the Twitter web interface involving how it renders tweets that contain JavaScript code. Specifically in this case, on those tweets that contain the “onMouseOver” code, mousing over that tweet will cause, among other things, the exploit to be tweeted out.

It is not affecting third-party clients at this point, but if one opens a profile with the hacked “tweet” visible on a browser, that can (and probably will) affect that person as well.

At this point, I recommend the following:

  • If you are able to install a third-party Twitter client (like TweetDeck or Seesmic), do it and use it exclusively until Twitter gives the all-clear.
  • If you cannot install a third-party Twitter client, use the mobile site – http://mobile.twitter.com. At this point, it does not appear to be compromised, at least on my computer.

If you ended up as a victim, once you either installed that third-party client or switched to the mobile interface, use that to go back over your Twitter timeline and delete anything that includes “onMouseOver”.

R&E part 2 (8:54 am 9/21/2010) – Twitter is patching this now. If you were a victim, do run a full anti-virus/anti-spyware scan.

[No Runny Eggs is proudly powered by WordPress.]