Twitter Suffers Web Interface Exploit

HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."

Or mobile

[bbtom]

If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/

Hosts file

[MidnightPsycho]

Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
Although the web interface is still broke. (The interface goes grey, and
any click still tries to go to the t.co web page)

Add this to your Hosts file:

0.0.0.0 t.co

Re:Hosts file

[bbtom]

That's not a great solution: because Twitter shortens lots of links through t.co - meaning you'll click on links on Twitter and go to 0.0.0.0

The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ ) until Twitter fixes the exploit.

Re:Hosts file

But as soon as they fix it, remove it from your hosts. t.co is Twitter's official shortener, so there will be more and more legit links using it.

Re:Hosts file

[SimonTheSoundMan]

http://status.twitter.com/post/1161435117/xss-attack-identified-and-patched

Additional details from Netcraft, Sophos

[1sockchuck]

There's more info on the spread of this exploit from Paul Mutton at Netcraft and Graham Cluely at Sophos.

Now FIXED

[bbtom]

It is now FIXED.

http://twitter.com/delbius/status/25120366027

Re:Obligatory xkcd

[Kristopeit,MichaelDa]

obligatory you're an idiot...

the issue was with sanitizing database OUTPUT.

little bobby tables wouldn't even allow such a trivially basic error like this to make it's way onto production servers.

Re:Well

[The+MAZZTer]

Oh fun, the Chromed Bird extension for Chrome will happily inject onmouseover events into its popup HTML too. Good thing extensions are sandboxed.

mocking illiterate editors is too easy

[sribe]

This could easily be muted into a more sinister attack.

mute |myot|
verb [ trans. ]
1 (often be muted) deaden, muffle, or soften the sound of : her footsteps were muted by the thick carpet.
  muffle the sound of (a musical instrument), esp. by the use of a mute.
  figurative reduce the strength or intensity of : his professional contentment was muted by personal sadness.
2 turn off (the sound on a television, telephone, or other appliance) by activating the mute : he turns the set on, mutes the sound, but flicks through the channels.

mutate |myott|
verb
change or cause to change in form or nature : [ intrans. ] technology continues to mutate at an alarming rate | [ trans. ] the quick-dry solution really worked, even if it did mutate the skin on her fingers to reptilian scales.
  Biology (with reference to a cell, DNA molecule, etc.) undergo or cause to undergo change in a gene or genes : [ intrans. ] the virus is able to mutate into new forms that are immune to the vaccine | [ trans. ] certain nucleotides were mutated.

Re:First Post

[c6gunner]

Easy. The "innerHTML" bit of the code gets the entire contents of the current element, and the rest of the code puts it into the input box and submits it. It's not "cheating" in any sense of the word. You might be having a hard time parsing the code because it's not exactly pure JavaScript - it's using jQuery.