Twitter 'onmouseover' security flaw hits site

Sophos tells users to use third-party apps

Sarah Brown victim of a Twitter hack

UPDATE: Twitter has announced it has fixed the security flaw, explaining on its

Twitter is blaming the hack on an XSS (cross-site scripting) attack.


A security flaw has appeared on micro-blogging site Twitter, which allows third-party sites to open up in your browser when you simply hover your mouse pointer over a link.

The hack has targeted thousands of profiles and even redirected readers of Sarah Brown's Twitter feed to a Japanese porn site.

Article continues below

Mouse in the house

Security firm Sophos has outlined the potential problems with the flaw, which uses a piece of Javascript code – called onMouseOver – that allows you to be redirected to another site without even clicking on a link.

Although Sophos believes that the flaw is "innocuous" at the moment, it is recommending all users to use a third-party client to access Twitter and not go directly to the main site until the Javascript code has been blocked.

If you are using the site, then it is recommended you don't click any link with the 'onmouseover' command, or ones which contain blocks of colour (rainbow tweets) as these can hide their true content.

Go to for more details.

If you are stuck on which third-party app to use, don't worry as TechRadar has compiled two lists: six of the best Twitter web apps and the 12 best Twitter apps to help you make a decision.

Here SophosLabs has created a video to explain the situation: