Users no longer have to click on a link to have their system hacked. Now they only have to hover over the link with their on-screen pointer.
[ Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
"This would definitely make you snarf your coffee the first thing in the morning," says Beth Jones, senior threat manager at security firm Sophos, which warned of the attack on Tuesday.
Twitter shut down the attack -- which exploited a cross-site scripting issue in how the site handled mouse-over events -- by midmorning on Tuesday with a fix to its servers. The security flaw only affected users who viewed their Twitter feeds using a Web browser, not with third-party apps.
Yet, the typical lesson for users -- summed up as "be careful" -- does not apply. Many security-minded users already mouse over links to see where they lead before clicking on them. Moreover, while a lot of the twitterati use third-party apps, many feeds are inserted into websites. A visitor that moused over one of the links would have fallen prey to the issue as well.
So what's a user to do?
"Pretty much, unless you have locked down your browser, you are owned," she said.