In some computer programming languages there is an event called “mouseover”. This command is used to determine what happens when a user put the mouse over a specific object. When you put the mouse over a hyperlink and see where that link will take you, that is a “mouseover” command at work. When you place your mouse over a picture and it tells you the size or other information, that too is a mouseover command at work.

Twitter had a big problem with the mouseover command. Users were able to embed a mouseover command in a tweet and if you simply put your mouse over the tweet it could launch a pop up, create a tweet, or even redirect you to another website. In a worst case attack, the mouseover vulnerability could redirect you to a website that would then attempt to exploit any number of other vulnerabilities to gain complete control of your computer. Another potential use would be to redirect you to a website for rogue AV software. In this attack you would point your mouse at a tweet and the next thing you would see is a web page that appears to be scanning your computer and telling you it is infected.

Twitter has reportedly fixed the problem, but many have advised to use products like Tweetdeck or Twitter Mobile that were unaffected by the flaw. The one caveat about using a third party product is that you are giving that company your password so that they can connect you to the service. Make sure you have reason to trust them with that information.

Randy Abrams
Director of Technical Education
ESET LLC