A video from SophosLabs demonstrating the Twitter vulnerability.
According to security analysis firm Sophos, simply running your mouse over certain tweets could activate pop-ups, send you messages, or even redirect you to another site.
And a number of Twitter accounts were redirecting users to hardcore pornography sites — including the feed of Sarah Brown, wife of former British Prime Minister Gordon Brown.
By 10 AM this morning, Twitter released a statement claiming “all clear” that Twitter “should now be fully patched and is no longer exploitable“. But some security experts say that with sheer volume of infected messages involved, even though it was patched, there may be some issues.
Also, some users are using to flaw to mask their user ID’s:
“It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code.
Some users are also seemingly deliberately exploiting the loophole to create tweets that contain blocks of color (known as “rainbow tweets”). Because these messages can hide their true content they might prove too hard for some users to resist clicking on them.”
According to the article, third party Twitter apps were not affected, because they do not use the same script. The article also recommends people avoid using Twitter for a while.
It is a shame that people would do something like this. I really makes you think twice about letting your kids use the internet, when they could be talking to their friends one minute but then re-directed to a very questionable site the next.
Today we have a tutorial on how to make it easier to become a victim of a cyber stalker on any of your favorite social media sites. To simplify things, I have included step by step directions, please follow along.
STEP 1: Take a picture using any smart phone – iPhone, Blackberry, Android, etc. This can be a picture of your dog, cat, wife, kids, computer, house, favorite pet, annoying neighbor, or a combination of any two.
STEP 2: Upload the picture to your social media site.
That’s it, thanks for joining us. Today’s broadcast was brought to you by… What? You want to know more? How does just taking a picture and uploading it to a social media site give away any personal data?
Okay, I will tell you, here is the problem. Most new “smart phones” come with geo tracking enabled by default. So, when you take a picture, your location, in longitude and latitude is automatically added to the metadata of the picture. Metadata is just additional information that is tagged onto the picture and can be viewed. Kind of like the picture “properties”.
When the picture is uploaded, the metadata goes right along with it. So basically, every picture taken with a smart phone gives away the location where it was shot and it can be viewed by anyone on the web.
Now, what if someone were to make a program to sweep the social media sites just looking for pictures that contain geo location data? Then, what if, hypothetically speaking, they take your name, the picture and your profile picture and post it? Now, since we started down this bunny trail, what if they also were nice enough to also include a Google Map showing exactly where the picture was taken?
No one would be that sinister you say? Oh contraire, let me introduce you to I Can Stalk You. The website was created by security specialists to raise the awareness of inadvertant information sharing. Though I am not 100% sure that they are truly revealing the actual location data, it is still kind of creepy.
How can you stop giving away your location with each photograph? The “I Can Stalk You” site contains instructions on how to turn off the Geo Tagging on the most popular phones.
It is amazing how much personal information we give away online, and sometimes we don’t even know it.