Lesson from latest Twitter attack: Don't hover?

The choice for Internet users seems increasingly to be between usability and security

Users no longer have to click on a link to have their system hacked. Now they only have to hover over the link with their on-screen pointer.

The latest security vulnerability on Twitter's website highlights that some attacks don't require a user to do something questionable. All a user needs to do is hover over a specially crafted link to run an attacker's JavaScript. So far, security firms have not seen truly malicious attacks using the technique, but jokesters and miscreants were rampantly using the attack to send followers to porn sites or, more kindly, to pop up a message on their screen. Some links would propagate virally as well.

[ Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

"This would definitely make you snarf your coffee the first thing in the morning," says Beth Jones, senior threat manager at security firm Sophos, which warned of the attack on Tuesday.

Twitter shut down the attack -- which exploited a cross-site scripting issue in how the site handled mouse-over events -- by midmorning on Tuesday with a fix to its servers. The security flaw only affected users who viewed their Twitter feeds using a Web browser, not with third-party apps.

Yet, the typical lesson for users -- summed up as "be careful" -- does not apply. Many security-minded users already mouse over links to see where they lead before clicking on them. Moreover, while a lot of the twitterati use third-party apps, many feeds are inserted into websites. A visitor that moused over one of the links would have fallen prey to the issue as well.

So what's a user to do?

"Pretty much, unless you have locked down your browser, you are owned," she said.

For Internet Explorer and Safari users, that would mean turning off JavaScript and going back to a less interactive Internet. For Mozilla Firefox users, installing and using the security plug-in NoScript lets them benefit from some protections but still use the Internet. Google's Chrome could be locked down as well, said Jones.

This unfortunately continues a trend in that the choice for Internet users seems to increasingly be between usability and security. Every new attack puts pressure on the users to modify their behavior to make themselves more secure. Yet, like the security procedures at the airport, such measures always have a downside.

As Sophos' Jones remarked about her fully locked down browser: "No one likes to use it."

This article, "Lesson from latest Twitter attack: Don't hover?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies