Twitter's New Mouse-Over Feature Is a Widely Abused Security Loophole


Twitter's fallen prey to hackers seduced by its growing popularity: It has a wicked security loophole for visitors to its newly refreshed website--all it requires you to do is drift your mouse pointer over a malicious link. It's being widely abused.

The hack is pretty simple: All it needs is an embedded link in a tweet. When you visit anyone's profile that contains the tweet--either as an official or unofficial "RT" retweet--by going to the relevant page on and then let your mouse pointer move over the link, Twitter's code currently attempts a quick preview of the contents of the link. And voila! Instead of directing you to where you think you may be going, you could end up with a porn site on your screen.

But there's some big potential for abuse here: By redirecting you to a site that contains malicious code, hackers could plant a virus on your machine (particularly if you're an unwitting victim, or if you're not so Net-savvy), or at the least some persistent spam advertising pop-ups may be launched.

Twitter is certainly aware of this "mouseover" issue (we've emailed them to check on this) and is probably preparing a fix. Until they do there are two easy ways to avoid the problem--don't click on a link that looks wrong somehow (some of the more jokey tweets that exploit the loophole conceal the text of a link behind a colored bar, or have extremely large or small font sizes) or simply to avoid going to and use a third party client to access your Twitter feed, like many people do anyway.

The biggest take-away from this news is that now that Twitter is gaining such a big following online, and is emerging as a powerful and useful tool for all sorts of different reasons, it's going to attract the attention of hackers and coding ne'er-do-wells the world over.

To keep up with this news, follow me, Kit Eaton, on Twitter.

Add New Comment