Mouse-over exploit now patched, says Twitter

Micro-blogging site Twitter now says the JavaScript worm that caused havoc on its web platform today has now been patched.

The exploit, which utilised a technique known as 'cross-site scripting' (XSS) could be used to redirect users' browsers to spoof or malicious sites simply when they rolled their mouse pointer over an infected link.

Security experts warned that the worm, which caused further infected tweets from the user's account, could be used to redirect users to sites that downloaded malcious code onto their machines.

Head of Twitter's Trust and Safety team, Del Harvey, tweeted at 14:52 BST: "The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it."

The micro-blogging platform had been coming under increasing pressure from security experts to close down its web site, after thousands of users were believed to have fallen prey to the bug.

Christopher Boyd, senior threat researcher at network security firm GFI Software, told THINQ: "While most examples of the ‘onmouseover’ security flaw seem to be people playing around with code without specific malicious aim, there have already been numerous cases reported today of porn and shock site redirects, along with profile corruption and various other side effects.

"While there's a possibility that bad actors may use this to direct end-users to malware and phish pages, I'd like to think Twitter will have this under control before that happens. However, we are surprised that Twitter has not suspended the main web site while it works on a fix."

Among high-profile Twitter users to have fallen victim to the exploit was Sarah Brown, the wife of the UK's former Labour prime minister, Gordon Brown.