Twitter Suffers Web Interface Exploit

HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."

First Post

http://t.co/@"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/

Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Re:First Post

[blai]

RT @Anonymous\ Coward http://t.co/@ [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/ Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Re:First Post

[SimonTheSoundMan]

Requires one word — "ROTFL".

Re:First Post

[Crudely_Indecent]

Which one of the five words represented by that acronym are you referring to?

Re:First Post

[somersault]

It's all a ruse. If someone tries to mod him down, he shall become more powerful than we could possibly imagine. Or at least, the script will start working :0

Re:First Post

[rickb928]

Naw. ACs have a short lifespan. They were made that way. We need not concern ourselves with them unless they become dangerous.

What dangerous is should be obvious.

Re:First Post

[somersault]

What dangerous is should be obvious.

Able to make their way up the basement stairs?

Re:First Post

[goombah99]

How does this actually work? It's usually hard to write a program that can print itself out. And to do that in so few characters would be even harder. However it looks like this one is somehow cheating and asking the containing document to tell it it's own content. But I'm not a good java script programmer to understand it.

Re:First Post

[c6gunner]

Easy. The "innerHTML" bit of the code gets the entire contents of the current element, and the rest of the code puts it into the input box and submits it. It's not "cheating" in any sense of the word. You might be having a hard time parsing the code because it's not exactly pure JavaScript - it's using jQuery.

Re:First Post

That is not an acronym.. it's an initialism

Well

[The+MAZZTer]

I'm sure glad all the tweets about this have the #mouseover hash tag so I can click on it in my client to open the twitter.com web interface and read about how I shouldn't use the twitter.com web interface.

Re:Well

[The+MAZZTer]

Looks like any JS event for anchor tags can be used (I just made one using the sample seen in the article for an onclick handler that returns false).

Re:Well

[The+MAZZTer]

Oh fun, the Chromed Bird extension for Chrome will happily inject onmouseover events into its popup HTML too. Good thing extensions are sandboxed.

Or mobile

[bbtom]

If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/

Re:Or mobile

But I don't use twitter at all, how does that help me you insensitive clod!?

Re:Or mobile

[bbtom]

The conditional word "if" was included for your convenience.

Re:Or mobile

[JustOK]

So, if he doesn't want to use the web interface, then is the mobile version affected or not?

Re:Or mobile

[Bonewalker]

If a social media hub is infected with a virus and no one is around to mouse-over it, would it still make Slashdot's front page?

Re:Or mobile

[JustOK]

question would be how many dupes would appear.

Re:Or mobile

That's not a logically valid conclusion. However, if the mobile version is affected, then he doesn't want to use the web interface.

Hmm

[grub]

Why, again, should I be using Twitter?

Re:Hmm

[MrHanky]

It's the best, perhaps only way to automatically retweet. That's a fairly unique service.

Re:Hmm

[Pojut]

I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.

Re:Hmm

[grub]

Yes, for that I agree, should have clarified and meant as a 'tweeter'.

Still think I nailed it when I wrote "Twitter: the UDP of human conversation. -me"

Re:Hmm

[kisrael]

I can't tell you why you should be using Twitter, but some of us have friends or know of folks online who are good at dropping the pithy bon mot, or find it a convenient way to announce things.

Why again should you be using email? Or SMS txt'ing? Or slashdot?

Re:Hmm

[somersault]

Can't really tell if that's a joke about the article, or whether that's actually meant to mean something useful. Doesn't really help answer his question either way..

Re:Hmm

[grub]

I've posted it once before, google will prove it. Nice troll, though.

Re:Hmm

[AbRASiON]

I have mod points, so it's really hard to decide if I should reply or just send your obvious bait into oblivion.
Instead I'll bite though.

I hated twitter when I first heard about it, I didn't 'get' it. Now, having used it - it's the most powerful communications tool I've ever seen, period.
It's a perfect replacement to SMS, I can see if events are occuring internationally almost instantly, I can broadcast things to all or keep them private. It's an incredible tool for sharing information and frankly should be the end of SMS, period.

Once you realise you can respond to some very interesting people at the click of a button you'll possibly appreciate it.

Re:Hmm

[Bill,+Shooter+of+Bul]

judging by the media, I'd say you're supposed to use twitter if you're ever in jail/kidnapped in a third world country. Then you'll be set free by a flashmob of justin berbers, only to discover you've just been punk'd.

Re:Hmm

[NotBorg]

Email? Meh, old news. Texting? Meh, newfangled. Slashdot? Ah Slashdot: You will never find a more wretched hive of scum and villainy. We must be cautious.

Re:Hmm

Why, again, should I be using Twitter?

The more fundamental question is "why, again, should I be allowing Javascript?"

Re:Hmm

[kisrael]

Ironically, your clever (and shibboleth-ish; I had to google UDP to make sure I got it) line about twitter is an excellent example of what twitter is excellent for, as a "tweeter" -- the sharing of an engaging twist of perspective.

There's a lingering perception of twitter as a "what I'm having for dinner right now" kind of thing, but in practice that's a small fraction of the use of it (YMMV)-- conversely I would say Twitter's "right in the moment" aspect makes such talk a little more engaging and less banal, because there's more a chance of it being part of the shared human experience, distributed across space but unified in time -- but I think most people who "tweet" in that mode don't have big followings outside the group of people they know in real life.

So I'd say, as a tweeter, if you can come up with lines like the UDP one frequently, then you should be using twitter to increase the sum total of cleverness online and garner some of that old school egoboo. If all you're going to post about is what you're doing right now, then why bother?

Re:Hmm

[grub]

Well, we're even. I had to google "shibboleth" :)

Cheers!

Re:Hmm

[tehcyder]

For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?

In fact, I would say it is the communication (real or imagined) with "famous" people that makes it so appealing. When you lo into Film Star A's blog, you know you're just doing the equivalent of reading her diary. But when you get a tweet on your mobile phone, it's sort of like she's talking directly to you.

Re:Hmm

[ian_from_brisbane]

Why, again, should I be using Twitter?

To get redirected to hardcore porn of course!

Re:Hmm

[MobileTatsu-NJG]

I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.

But.. but.. but... it's mainstream! And mainstream stuff, especially things that require 'followers' or 'friends', is dumb and stupid and totally beneath us nerds! I prefer to use email and other less ideal solutions that this thing does elegantly!

Re:Hmm

No one gives a rat fuck.

Re:Hmm

[kisrael]

"For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?"

It's the one to many thing -- not "many" as in "countless hoards of fans", but many as in "a set of people I know in real life and who I've run into online" -- most people don't generate enough content to make a website worth coming back to on a daily or more basis, but amalgamated with a bunch of other people's thoughts, and now you've got something!

There are other paths to the same thing -- if everyone used RSS heavily, you could be part of your audience's RSS feed, and still get a proportional amount of timely attention. And Facebook has a similar "fax machine effect" as Twitter -- for close friends, I would hope to get personal email or a call or word in person of important events, but for a big mass of people who I'm not that close to but not entirely distant, FB fills a niche. (That said I barely keep up with FB -- in general it's more "day to day" boring stuff and less people trying to be clever than twitter)

So that's what twitter does that a website (in practice) "can't" - aggregation is the key.

"In fact, I would say it is the communication (real or imagined) with "famous" people that makes it so appealing."

I'm sure this is true for many twitter readers, but it's certainly not universally applicable. I might follow some famous people, but only ones who seem to be trying to write funny or smart stuff.

Re:Hmm

[CrazyJim1]

I got my job through Twitter. It is social networking. If you use it right, you meet new people.

Re:Hmm

[spectro]

Twitter is great for those of us with no writing talent: no need to post a whole blog about an idea we can explain in 140 characters or less

Re:Hmm

[dswensen]

Actually, being able to work within strict limitations -is- a pretty good indicator of talent. It's much easier to bloviate for paragraphs at a time without saying anything.

Re:Hmm

[mahadiga]

Nerds have attention span of only 140 characters.

Re:Hmm

[coryking]

Twitter is hardly mainstream. Out of a huge assortment of people I know, almost all of them, nerds or technophobes have a facebook account. I have only met one person who claims to use Twitter.

Twitter is pure, 100% hype. It is the most hyped ".com" I've seen since, well, the dot.com days. Seriously. Twitter is not mainstream in the least.

Re:Hmm

[MobileTatsu-NJG]

"Twitter is hardly mainstream.... It is the most hyped ".com" I've seen since, well, the dot.com days."

Heh. Seriously? It's more hyped than any .com and it's not mainstream?

Two billion tweets in a 3 month period? Every business and their mother advertising 'follow us on twitter!' The word 'tweet' being widely recognized by most Joe Schmoe's?

Okie doke. Not mainstream at all.

Re:Hmm

How is it different than RSS?

Again?

[Dragoniz3r]

You'd think people would've learned by now that you can't allow random strings of script in user-submitted data. Why is filtering this stuff out not part of standard input sanitization practices by now?

Re:Again?

[NevarMore]

What if its a tweet about programming in JavaScript?

Re:Again?

[Dragoniz3r]

Then you escape it so it displays, instead of executing... seriously... same way you handle < and > and all the other naughty characters

Re:Again?

[martas]

then force people to use escaped sequences. i.e. only display "computer.fuckUp()" at the very last step, in the ui. everywhere else it should be "computer\.fuckUp\(\)". [note: toy example. not actually claiming that '.' and parens should be escaped...]

Re:Again?

[Deag]

I think it is half solutions that are the problem. Allowing any sort of tags allows for adding script to various events and the like and even stripping them is quite difficult.
You either need to use a library that is proven to do this or escape all html.

Re:Again?

[cygnwolf]

So you sanitize it to display characters only instead of a script.

Re:Again?

[Jason+Levine]

Easy. If they escaped double-quotes (") to &quote; then this wouldn't happen because the code wouldn't be able to escape the href section of the link.

Re:Again?

[iLogiK]

From I could tell, the string looks something like this: http://example.com/#@"onmouseover=">"

my guess is this is come bug related to how they handle hashtags/user profile links

I think they're regularly running a script that takes out the # from the link from old tweets

Re:Again?

Yes... quite difficult...~

For your average run-of-the-mill take-your-pick-from-a-grab-bag-of-middle-eastern-countries CS / CE student who cheated (erm, collaborated) his/her way through all the required programming courses... quite difficult indeed.

Re:Again?

[Kristopeit,MichaelDa]

because the raw input should be stored in case additional sanitation processing is required in the future. re-sanitizing might not be feasible as new special characters were introduced to replace old.

this is about sanitizing OUTPUT... there is probably someone in the company like you that handles output sanitation by completely ignoring it and doing all sanitation on the input side... then they are switched to a different team or a new feature is thrown in the mix that doesn't comply with the standards used in different teams... boom. billion dollar company looks like chumps. children playing on daddy's computer. certainly not to be trusted.

Re:Again?

Why not allow random strings of script in user-submitted data, and have the server escape it instead of forcing the user to do it?

Re:Again?

That probably sounded wonderful in your head, but it looks retarded in black and white. Sanitizing inputs vs. outputs has no significant difference when it comes to the results. It's not even like the core HTML/JavaScript syntax has changed tremendously since it was ever first invented...

Re:Again?

[somersault]

But what if they used.. single quotes!!?!?!?!?!?!?!?!?!?!!! *gasp* :0

Re:Again?

[Kristopeit,MichaelDa]

yes, but NEW SERVICES UTILIZING "core HTML/JavaScript" have their own syntax and internal interfaces... such as the t.co service EXPLOITED IN THIS CASE.

you are so dumb.

emphasizing sanitizing output allows you to keep the users originally provided input for reference. if you've never needed such a reference i'd argue you probably don't do this for a living.

Re:Again?

[somersault]

or the server could just convert < and > to &lt; and &gt; when it received a tweet, wouldn't that work to "escape all HTML"?

Re:Again?

[Deag]

That is one way of doing it, but if you have a requirement for rich text for example it complicates things. And the more control you are handing over to the user the more difficult it is to stop javascript sneaking in somewhere.

Re:Again?

[gpuk]

That's what he meant (i hope)

Re:Again?

[dkf]

But what if they used.. single quotes!!?!?!?!?!?!?!?!?!?!!! *gasp* :0

But what if attackers used single quotes too?

(Sheesh!)

Re:Again?

[somersault]

That's what I meant..

Re:Again?

So, is your complete inability to interact with others without resorting to childish name-calling some sort of an Asperger thing, or are you genuinely an asshole? Sheesh man, you deserve every ounce of shit these people give you.

Re:Again?

but most of these "fixes" increase the number of characters in the tweet, which could, in theory, put you over the 140 character limit. and that would cause the world to end.

Re:Again?

[Mike+Da.+Kristopeit]

is your inability to not cower behind anonymity or provide any factual insight to any conversation some sort of hypocritical idiot thing, or are you genuinely ignorant?

you are NOTHING

Re:Again?

[iamvim]

nearly any method of escaping characters creates a longer string. this would most likely result in tweets to be longer than 140 characters. and as far as I know, that would result in the end of the internet as we know it.

Re:Again?

is your inability to not cower behind anonymity or provide any factual insight to any conversation some sort of hypocritical idiot thing, or are you genuinely ignorant?

you are NOTHING

How many Slashdot accounts do you have?

Re:Again?

[Sigma+7]

It's quite possible to store the tweet in 140 characters, while just as easily as escaping sensitive characters on an HTML interface. It's called escaping on demand, and any library that deals with HTML should have that feature already.

Re:Again?

[Mike+Da.+Kristopeit]

how many CAN i have?

you are NOTHING

Re:Again?

[omnichad]

The server shouldn't really store HTML entities. You don't want to receive that junk in an XML API or to have to convert it for a non-HTML desktop client. You store the original and escape for display.

Re:Again?

[somersault]

Good point, that's actually how I already handle this type of situation in my own apps now that I think about it: escape HTML special chars and convert newlines to break tags on the way out, but leave the original text in the database.

Re:Again?

how many CAN i have?

you are NOTHING

For what it's worth, I am a different AC who asked how many accounts you have.

You're a beautiful loving person.

Re:Again?

[TheSpoom]

Why is filtering this stuff out not part of standard input sanitization practices by now?

It is, I'd just guess that whoever is behind Twitter is not as competent as you might think.

Re:Again?

[Mike+Da.+Kristopeit]

for what it's worth, i knew you were a different AC.

you are NOTHING

Re:Again?

for what it's worth, i am a different AC than either of the above. and you're an idiot.

Hosts file

[MidnightPsycho]

Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
Although the web interface is still broke. (The interface goes grey, and
any click still tries to go to the t.co web page)

Add this to your Hosts file:

0.0.0.0 t.co

Re:Hosts file

[bbtom]

That's not a great solution: because Twitter shortens lots of links through t.co - meaning you'll click on links on Twitter and go to 0.0.0.0

The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ ) until Twitter fixes the exploit.

Re:Hosts file

But as soon as they fix it, remove it from your hosts. t.co is Twitter's official shortener, so there will be more and more legit links using it.

Re:Hosts file

[MrHanky]

No. Some of the tweets use a different address.

Re:Hosts file

[MidnightPsycho]

Yeah - just saw one with "a.no" .....

Re:Hosts file

[The+MAZZTer]

Using NoScript or Google Chrome's Content Settings to block JavaScript on twitter.com is also an option, maybe. Not sure how well twitter.com works that way but onmouseover handlers won't run and AJAX won't work so this exploit is useless then.

Re:Hosts file

[SimonTheSoundMan]

Spoken to twitter on IRC. It is fixed. Going to take a while to propagate through the servers.

Re:Hosts file

[L4t3r4lu5]

Or don't use Twitter. Seriously.

Except for this thoroughly informative sentence, including the punctuation, nothing of any real import can be expressed in 140 characters...

Re:Hosts file

[The+MAZZTer]

That won't do anything. t.co is only used in order to trick twitter into creating an anchor tag, to which the onmouseover handler can be attached. Since you're on twitter.com the only place an AJAX call can be sent to retweet is... twitter.com. example.com can be used instead of t.co and the exploit would still work the same.

Re:Hosts file

[Jedi+Alec]

Actually, I'm having a lot of fun distilling what I want to say down to its bare essence in order to fit the 140 char space.

Then again, I mostly use twitter to see my elected officials make fun of each other(and egg 'm on a bit at times).

Re:Hosts file

[SimonTheSoundMan]

http://status.twitter.com/post/1161435117/xss-attack-identified-and-patched

Re:Hosts file

Unless you run a botnet

Re:Hosts file

[asdfington]

The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ ) until Twitter fixes the exploit.

or simply retweet and lol.

Re:Hosts file

[Kristopeit,MichaelDa]

can you prove there isn't exploit potential in the m.twitter.com interface?

Re:Hosts file

[Thanshin]

nothing of any real import can be expressed in 140 characters...

"The bag is in locker #437. You'll find your fee and the target's dossier inside."
"The guy I was having fun with is dead in your kitchen and cops are coming. XOXOXO"
"Cut the red wire."
"Salutations earthlings. We come in peace."

Never used Twitter but 140 seems to be a lot. Maybe you're a bit too wordy.

"Dear Mr.Assassin. I've left the money, in $20 bills, inside big a black leather bag. The target data will be inside the bag that you'll find in locker #"

Re:Hosts file

[JustOK]

640K much?

Re:Hosts file

[tehcyder]

For all those things I think you'd be safer using a throwaway pay as you go mobile phone and texting the message (well, maybe not the aliens).

Re:Hosts file

Nothing of any import should be expressed on a website owned by someone else.
Use RSS. We don't need Twitter reporting what locker my spy equipment is in to all their IT guys.

Obligatory xkcd

[labcoatless]

http://xkcd.com/327/

Re:Obligatory xkcd

[Kristopeit,MichaelDa]

obligatory you're an idiot...

the issue was with sanitizing database OUTPUT.

little bobby tables wouldn't even allow such a trivially basic error like this to make it's way onto production servers.

Re:Obligatory xkcd

[ledow]

Whichever way you look at it (input or output) no damn javascript should EVER make it into a tweet. Nobody but Twitter knows if that's because the tweet-input routines didn't filter it effectively, or because the tweet display routines allow you to see the javascript as actual markup instead of sanitised plain-text.

Either way, allowing JS scripts, HTML tags or anything NOT TEXT into a tweet means you didn't attend your first grade computer security courses. This isn't some massively complex hack - somehow javascript was not stripped or escaped adequately, allowing a single piece of it on the site to constantly be executed automatically by all users, and whose input was then accepted time and time again as a valid tweet without escaping it properly.

Someone should REALLY be fired. In fact, several people, because on a site that size there should damn-well be several programmers and several people running tests and checking for such things.

Re:Obligatory xkcd

[Kristopeit,MichaelDa]

it's such an obvious misstep, i have to believe it was intentional to make all their twits feel relieved that "the good folks at twitter fixed the virus"... they'll never know it was the incompetence of those same folks that the exploit existed in the first place

Re:Obligatory xkcd

[somersault]

Completely random aside, but in English even though you use 's to signify possession for nouns, instead of "it's", you actually write it "its".

Happy to help you sanitise your output ;)

Re:Obligatory xkcd

[Jello+B.]

It's not obligatory. Suck dick.

Re:Obligatory xkcd

[socsoc]

Cause it isn't a noun... It's is a contraction.

Re:Obligatory xkcd

and you are a humourless git.

Re:Obligatory xkcd

[Mike+Dav.+Kristopeit]

the very mistake the original poster made stems from the same procedural confusion which created the exploit potential.

continued ignorance is not humorous. it's ignorant.

Re:Obligatory xkcd

[labcoatless]

I apologize for offending you. Still, I disagree. In my opinion, the problem is as much about sanitizing input as about output, regardless of where the damage is done.

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

the sad part is, these exploit paths are pretty much everywhere... my coworkers and i used to have contests about who could get javascript executing on some arbitrary domain first while we had lunch... only stumped maybe a few times... almost never, with dozens and dozens of successes. of course our own domains were bulletproof. i'm still convinced perhaps we were the only developers at the time that respected the potential of the problem. now people are arguing against HTML5 because it does nothing to remove this very same potential for cross site attacks... and idiot developers would have you belief that is "an issue", when the real issue is idiot developers not doing anything to not be idiot developers.

Re:Obligatory xkcd

of course bobby tables wouldn't... of course bobby tables wouldn't have allowed a trivially basic error such as unsanitised sql queries in user-entered data either, so your making a large point of this is largely pointless really.

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

you're still talking about input sanitation... further demonstrating my point that MOST DEVELOPERS DON'T UNDERSTAND THE DIFFERENCE.

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

sanitization of the sanitation.

Re:Obligatory xkcd

The joke is close enough to be funny. There's no need for the insulting language. If you want to point out some nitpicking detail, that's fine. There's no need to be antisocial about it. People will respect your intelligence more if you aren't an ass.

P.S. You could have pointed out that this isn't a SQL injection attack but you didn't. Who's the fucking idiot now?!!!!!!

Re:Obligatory xkcd

It's too bad you can post any random link to xkcd and get modded up on slashdot...

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

so you're hypocritically tell me what i can find funny? look at you, you're still ignorantly responding attempting to silence someone.

the problem is lack of sanitization.

ur mum's face is the fucking idiot now.

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

ur mum's face can post any random link to xkcd and get modded up on slashdot

Additional details from Netcraft, Sophos

[1sockchuck]

There's more info on the spread of this exploit from Paul Mutton at Netcraft and Graham Cluely at Sophos.

Re:Additional details from Netcraft, Sophos

[Spykk]

Confirmed by Netcraft? Better start panicking.

Re:Additional details from Netcraft, Sophos

[davek]

There's more info on the spread of this exploit from Paul Mutton at Netcraft

Well, then it must be true if Netcraft confirms it.

Re:You mean...

[bbtom]

Yes, there are people who aren't total social media douchebags who use Twitter.

HootSuite uses ow.ly which for quite a long time wrapped links in a stupid 'social toolbar', a sort of crap Twitter version of the DiggBar. Horrible. If I go to someone's Twitter profile and see that they have mostly been posting from HootSuite, I conclude the same thing as when I see they use Outlook for their e-mail.

Easy solution

Disable javascript. If something as simple as twitter requires javascript be enabled on the client, the company deserve all the resulting security problems!

Re:Easy solution

[Dragoniz3r]

I'm sorry, but 1994 called, and it wants its World Wide Web back. Interactive webpages are the future, they are actually really nice when they're done properly, and denying that is just holding you back. I expect that sooner or later secure programming mentalities will become deeply ingrained in Web programming, and things like this will stop happening. There will always be bugs, but that's no different from any other software.

NoScript is a much better solution than out-and-out disabling javascript anyways.

Re:Easy solution

[Culture20]

1994 called, and it wants its World Wide Web back.

I called, and I want 1994's WWW back. No more "My entire website is in Flash!" No more drive-by downloads. No more web-apps that just write a static page when HTML would have sufficed. <blink>Just "Here's my Dog!" and "Work in Progress" signs.</blink>

Re:Easy solution

Sorry, there's zero reason twitter can't degrade gracefully, or rather "upgrade pointlessly" using non-obtrusive script. Twitter is not a complicated app, it doesn't need anything that can't be done via HTML 3.2.

Hence, your "interactive web pages are the future" comment is misinformed bullshit. Sure, google maps or an online photoshop clone _require_ javascript, however text based information does not and never will!

Re:Easy solution

[tehcyder]

*sobs* who ever thought we'd be getting nostalgic for blink tags?

Re:Easy solution

[uncanny]

fine fine, i'm getting off your lawn, sheesh!

Re:Easy solution

Haha. Shut up grandpa.

Re:Easy solution

Behold! My glamorous animated, scrolling and/or blinking GIFs!

Re:Easy solution

[djh2400]

Seriously, I don't get the anti-JavaScript mindset. From what I understand, however, it is only a small (and quite vocal) minority.

People who disable JavaScript should not expect to experience a working website (including Twitter).

Here let me fix that for you

[hellfire]

...so it is recommended that you refrain from social media altogether.

There, fixed it for you.

Re:Here let me fix that for you

[Andrewkov]

So abstinence is the best way to avoid viruses?

Re:Here let me fix that for you

[socsoc]

Bah, beat me to it.

Alternative social media

Or you could just move to a sane and open alternative, like any of the sites built on status.net, such as http://www.identi.ca

Or even roll your own.

Oh really? Refrain from what?

[mr_mischief]

refrain from social media altogether until the problem is resolved

Sorry, I didn't realize Twatter was "social media altogether". Sorry, Slashdot, you just admitted on your front page you are irrelevant. Only Twitter counts.

Re:You mean...

If I go to someone's Twitter profile and see that they have mostly been posting from HootSuite, I conclude the same thing as when I see they use Outlook for their e-mail.

That they're at work?

Also saw

[asdfington]

http://a.no/@"onmouseover=";$('textarea:first.val(this.innerHTML);$.('status-update-form.submit();"class="modal-overlay"/ which puts an overlay on the whole site, causing any mouseover to retweet. Personally I think this is pretty hilarious. If you mouse around a bunch you get something like this: http://i.imgur.com/qTPeK.png Yes I know you can see my acct. in the bg, I don't care; if it were private, why would I put it on twitter?

Now FIXED

[bbtom]

It is now FIXED.

http://twitter.com/delbius/status/25120366027

Re:Now FIXED

Oh thank goodness. Now back to my social life.

Re:Now FIXED

[mybecq]

The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.

about 1 hour ago via web
Retweeted by 100+ people

So, they tweeted that they had fixed a bug preventing unintended retweeting, and 100+ people have retweeted it?

Re: Now FIXED

The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.
Retweeted by 100+ people.

Apparently not.

Re:Now FIXED

100+ retweets is quite common especially if it's about a popular topic written by a prominent individual.

pure shame.

[Kristopeit,MichaelDa]

a web application allowing users to output html that can alter layout, or javascript that can be executed is such a giant fail, that twitter should seriously consider firing the highest members of it's management staff responsible for code architecture review.

as is always the case, they'll claim it passed regression testing, so there was nothing they could do... but the simple fact is they failed at creating viable regression tests.

this is kindergarten CS stuff... these are the developers the big name outfits are hiring? do they work in the US? did anyone check their resumes?

this is pathetic

Refrain from using the internet

[faulteh]

until they fix twitter.

EVERYONE! Grab a shovel.. dig a hole in the sand and instruct the person next to you to put their head in the hole, now bury their heads in the sand. Everyone do the same! Wait... one person will have to be left behind.

This is a well orchestrated attack by twitter to highlight the need to move to their own in-house url shortener t.co instead of all those other pesky untrustworthy other url shorteners. However, on a funny note it's amazing how people will, nay, must click things, especially since it's been shortened into something meaningless. No way those links could be suspect, someone tweeted that... to me! it's ok, i'll just move my mouse over here... and exert some pressure on the left mouse button... oh cr*p what have i done? LOLCATS!

Keep the fear alive!

muted into a more sinister attack?

[Attila+Dimedici]

I'm confused as to how reducing the intensity of this exploit would make it more sinister. If anybody can give me an idea of how that would work, I would appreciate it.
Now on the other hand if this attack were to mutate I could see it easily becoming something that might be very disruptive for twits (those who use Twitter).

Re:muted into a more sinister attack?

[nwmann]

perhaps they mean making it less noticed and more destructive. therefore quiet or muted to us all the while racking up the damage.

TLDR

[vlm]

If that was TLDR, heres my summary:

"... it is recommended that you ... refrain from social media altogether ..."

Works for me!

From TFS

[vegiVamp]

"refrain from social media altogether until the problem is resolved"

I've been doing exactly that, and intend on keeping to do that until the problem of Twitter has been resolved.

Re:From TFS

[wjousts]

But how will you know what your favorite celebrities are having for lunch?!?

Re:From TFS

[vegiVamp]

The hidden webcams I've mounted everywhere in their houses, of course.

mocking illiterate editors is too easy

[sribe]

This could easily be muted into a more sinister attack.

mute |myot|
verb [ trans. ]
1 (often be muted) deaden, muffle, or soften the sound of : her footsteps were muted by the thick carpet.
  muffle the sound of (a musical instrument), esp. by the use of a mute.
  figurative reduce the strength or intensity of : his professional contentment was muted by personal sadness.
2 turn off (the sound on a television, telephone, or other appliance) by activating the mute : he turns the set on, mutes the sound, but flicks through the channels.

mutate |myott|
verb
change or cause to change in form or nature : [ intrans. ] technology continues to mutate at an alarming rate | [ trans. ] the quick-dry solution really worked, even if it did mutate the skin on her fingers to reptilian scales.
  Biology (with reference to a cell, DNA molecule, etc.) undergo or cause to undergo change in a gene or genes : [ intrans. ] the virus is able to mutate into new forms that are immune to the vaccine | [ trans. ] certain nucleotides were mutated.

Re:mocking illiterate editors is too easy

[HaloZero]

You're entirely right, and that is an oversight on my part. I had originally mis-typed 'mutated' (mutaed?), and instead of spell-checking it to 'mutated', it went to 'muted'. I didn't realize until I saw it on the front page, and said 'Doh!'.

You got the idea, though.

Anyone want to seek it?

[AHuxley]

http://www.spy.appspot.com/ a "search" site for social media
Might be fun to note who is using in in ~ realtime.

Web Interface Exploit?

[andr00oo]

Exploit? I can't see that this is any worse than what the Twitter Web Interface (or any other Twitter interface) was designed to do.

Already done

refrain from social media altogether until the problem is resolved

Hey, they found my solution, then again, since I never know when it is vulnerable, I just avoid it altogether.

Curing Retweet Viruses

[rakuen]

It seems this one has been fixed already, but if you get infected in the future, here's one way to fix it so you at least won't spread the plague too much. Other methods exist, but this is how you could do it if for some reason you only wanted to use Twitter's main webpages.

1) Make sure you've got a script-blocker, such as NoScript.
2) Disable scripts from Twitter and TwitImg (or whatever the image server is, I can't check it now).
3) Navigate to twitter.com/USERNAME#
4) Right now, you lack a lot of Twitter functionality, but the Undo button should still work. Click it.
5) Twitter should tell you it's attempting to undo. Wait a few moments, and then refresh.
6) Repeat 4 and 5 until you successfully cure yourself.
7) Don't use Twitter again until the exploit is fixed.
8) NOW you can restore your original settings.

wait, what?

[Son+of+Byrne]

This line just made me laugh:

or refrain from social media altogether

Sounds like health class again.

HAHAHAHAHAHAHA

What a stupid, senseless pieces of garbage. And for what purpose are all of these social engineering, I mean networking, sites.

OWASP's Top Ten

[Temujin_12]

Every web developer should religiously study OWASP's Top Ten Most Critical Web Application Security Risks and be held accountable to it by their superiors.

Those who work with contractors should especially do this as I've found that contractors tend to have the worst habits when it comes to security.

Use a third party client? But they're broken

[IBBoard]

How can I use a 3rd party client when my favourite ones are broken and the ones that aren't broken a missing vital features for those who aren't on Twitter 24/7 (like Gwibber and its lack of scroll-back)? Curse you, OAuth deadline. Curse you!

Random ID's

[neorush]

I've always coded most forms, especially login forms, with random form names / ID's. This stops most generic javascript based attacks. While you could certainly code easily enough to submit form 0 and change value of DOM object 1, it adds to the complexity of the whole exploit, and would have stopped any successful attempts at a hard coded getElementById().

Thanks for stating the obvious

The only useful thing saw in the article was "refrain from social media altogether".

Thanks for stating the obvious :)