The choice for Internet users seems increasingly to be between usability and security
By Robert Lemos | InfoWorld
Users no longer have to click on a link to have their system hacked. Now they only have to hover over the link with their on-screen pointer.
The latest security vulnerability on Twitter's website highlights that some attacks don't require a user to do something questionable. All a user needs to do is hover over a specially crafted link to run an attacker's JavaScript. So far, security firms have not seen truly malicious attacks using the technique, but jokesters and miscreants were rampantly using the attack to send followers to porn sites or, more kindly, to pop up a message on their screen. Some links would propagate virally as well.
"This would definitely make you snarf your coffee the first thing in the morning," says Beth Jones, senior threat manager at security firm Sophos, which warned of the attack on Tuesday.
Twitter shut down the attack -- which exploited a cross-site scripting issue in how the site handled mouse-over events -- by midmorning on Tuesday with a fix to its servers. The security flaw only affected users who viewed their Twitter feeds using a Web browser, not with third-party apps.
Yet, the typical lesson for users -- summed up as "be careful" -- does not apply. Many security-minded users already mouse over links to see where they lead before clicking on them. Moreover, while a lot of the twitterati use third-party apps, many feeds are inserted into websites. A visitor that moused over one of the links would have fallen prey to the issue as well.
So what's a user to do?
"Pretty much, unless you have locked down your browser, you are owned," she said.
<snip>
http://www.infoworld.com/t/malware/lesson-latest-twitter-attack-dont-hover-137