Users no longer have to click on a link to have their system hacked. Now they only have to hover over the link with their on-screen pointer.
[ Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
"This would definitely make you snarf your coffee the first thing in the morning," says Beth Jones, senior threat manager at security firm Sophos, which warned of the attack on Tuesday.
Twitter shut down the attack -- which exploited a cross-site scripting issue in how the site handled mouse-over events -- by midmorning on Tuesday with a fix to its servers. The security flaw only affected users who viewed their Twitter feeds using a Web browser, not with third-party apps.
Yet, the typical lesson for users -- summed up as "be careful" -- does not apply. Many security-minded users already mouse over links to see where they lead before clicking on them. Moreover, while a lot of the twitterati use third-party apps, many feeds are inserted into websites. A visitor that moused over one of the links would have fallen prey to the issue as well.
So what's a user to do?
"Pretty much, unless you have locked down your browser, you are owned," she said.
This unfortunately continues a trend in that the choice for Internet users seems to increasingly be between usability and security. Every new attack puts pressure on the users to modify their behavior to make themselves more secure. Yet, like the security procedures at the airport, such measures always have a downside.
As Sophos' Jones remarked about her fully locked down browser: "No one likes to use it."
This article, "Lesson from latest Twitter attack: Don't hover?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.