Twitter Suffers Web Interface Exploit

HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."

First Post

http://t.co/@"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/

Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Re:First Post

[blai]

RT @Anonymous\ Coward http://t.co/@ [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/ Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Re:First Post

[SimonTheSoundMan]

Requires one word — "ROTFL".

Re:First Post

[Crudely_Indecent]

Which one of the five words represented by that acronym are you referring to?

Re:First Post

[somersault]

It's all a ruse. If someone tries to mod him down, he shall become more powerful than we could possibly imagine. Or at least, the script will start working :0

Re:First Post

[rickb928]

Naw. ACs have a short lifespan. They were made that way. We need not concern ourselves with them unless they become dangerous.

What dangerous is should be obvious.

Re:First Post

[somersault]

What dangerous is should be obvious.

Able to make their way up the basement stairs?

Re:First Post

[goombah99]

How does this actually work? It's usually hard to write a program that can print itself out. And to do that in so few characters would be even harder. However it looks like this one is somehow cheating and asking the containing document to tell it it's own content. But I'm not a good java script programmer to understand it.

Re:First Post

[c6gunner]

Easy. The "innerHTML" bit of the code gets the entire contents of the current element, and the rest of the code puts it into the input box and submits it. It's not "cheating" in any sense of the word. You might be having a hard time parsing the code because it's not exactly pure JavaScript - it's using jQuery.

Well

[The+MAZZTer]

I'm sure glad all the tweets about this have the #mouseover hash tag so I can click on it in my client to open the twitter.com web interface and read about how I shouldn't use the twitter.com web interface.

Re:Well

[The+MAZZTer]

Looks like any JS event for anchor tags can be used (I just made one using the sample seen in the article for an onclick handler that returns false).

Re:Well

[The+MAZZTer]

Oh fun, the Chromed Bird extension for Chrome will happily inject onmouseover events into its popup HTML too. Good thing extensions are sandboxed.

Or mobile

[bbtom]

If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/

Re:Or mobile

[bbtom]

The conditional word "if" was included for your convenience.

Re:Or mobile

[JustOK]

So, if he doesn't want to use the web interface, then is the mobile version affected or not?

Re:Or mobile

[Bonewalker]

If a social media hub is infected with a virus and no one is around to mouse-over it, would it still make Slashdot's front page?

Re:Or mobile

[JustOK]

question would be how many dupes would appear.

Hmm

[grub]

Why, again, should I be using Twitter?

Re:Hmm

[MrHanky]

It's the best, perhaps only way to automatically retweet. That's a fairly unique service.

Re:Hmm

[Pojut]

I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.

Re:Hmm

[grub]

Yes, for that I agree, should have clarified and meant as a 'tweeter'.

Still think I nailed it when I wrote "Twitter: the UDP of human conversation. -me"

Re:Hmm

[kisrael]

I can't tell you why you should be using Twitter, but some of us have friends or know of folks online who are good at dropping the pithy bon mot, or find it a convenient way to announce things.

Why again should you be using email? Or SMS txt'ing? Or slashdot?

Re:Hmm

[somersault]

Can't really tell if that's a joke about the article, or whether that's actually meant to mean something useful. Doesn't really help answer his question either way..

Re:Hmm

[grub]

I've posted it once before, google will prove it. Nice troll, though.

Re:Hmm

[AbRASiON]

I have mod points, so it's really hard to decide if I should reply or just send your obvious bait into oblivion.
Instead I'll bite though.

I hated twitter when I first heard about it, I didn't 'get' it. Now, having used it - it's the most powerful communications tool I've ever seen, period.
It's a perfect replacement to SMS, I can see if events are occuring internationally almost instantly, I can broadcast things to all or keep them private. It's an incredible tool for sharing information and frankly should be the end of SMS, period.

Once you realise you can respond to some very interesting people at the click of a button you'll possibly appreciate it.

Re:Hmm

[Bill,+Shooter+of+Bul]

judging by the media, I'd say you're supposed to use twitter if you're ever in jail/kidnapped in a third world country. Then you'll be set free by a flashmob of justin berbers, only to discover you've just been punk'd.

Re:Hmm

[NotBorg]

Email? Meh, old news. Texting? Meh, newfangled. Slashdot? Ah Slashdot: You will never find a more wretched hive of scum and villainy. We must be cautious.

Re:Hmm

[kisrael]

Ironically, your clever (and shibboleth-ish; I had to google UDP to make sure I got it) line about twitter is an excellent example of what twitter is excellent for, as a "tweeter" -- the sharing of an engaging twist of perspective.

There's a lingering perception of twitter as a "what I'm having for dinner right now" kind of thing, but in practice that's a small fraction of the use of it (YMMV)-- conversely I would say Twitter's "right in the moment" aspect makes such talk a little more engaging and less banal, because there's more a chance of it being part of the shared human experience, distributed across space but unified in time -- but I think most people who "tweet" in that mode don't have big followings outside the group of people they know in real life.

So I'd say, as a tweeter, if you can come up with lines like the UDP one frequently, then you should be using twitter to increase the sum total of cleverness online and garner some of that old school egoboo. If all you're going to post about is what you're doing right now, then why bother?

Re:Hmm

[grub]

Well, we're even. I had to google "shibboleth" :)

Cheers!

Re:Hmm

[tehcyder]

For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?

In fact, I would say it is the communication (real or imagined) with "famous" people that makes it so appealing. When you lo into Film Star A's blog, you know you're just doing the equivalent of reading her diary. But when you get a tweet on your mobile phone, it's sort of like she's talking directly to you.

Re:Hmm

[ian_from_brisbane]

Why, again, should I be using Twitter?

To get redirected to hardcore porn of course!

Re:Hmm

[MobileTatsu-NJG]

I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.

But.. but.. but... it's mainstream! And mainstream stuff, especially things that require 'followers' or 'friends', is dumb and stupid and totally beneath us nerds! I prefer to use email and other less ideal solutions that this thing does elegantly!

Re:Hmm

[kisrael]

"For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?"

It's the one to many thing -- not "many" as in "countless hoards of fans", but many as in "a set of people I know in real life and who I've run into online" -- most people don't generate enough content to make a website worth coming back to on a daily or more basis, but amalgamated with a bunch of other people's thoughts, and now you've got something!

There are other paths to the same thing -- if everyone used RSS heavily, you could be part of your audience's RSS feed, and still get a proportional amount of timely attention. And Facebook has a similar "fax machine effect" as Twitter -- for close friends, I would hope to get personal email or a call or word in person of important events, but for a big mass of people who I'm not that close to but not entirely distant, FB fills a niche. (That said I barely keep up with FB -- in general it's more "day to day" boring stuff and less people trying to be clever than twitter)

So that's what twitter does that a website (in practice) "can't" - aggregation is the key.

"In fact, I would say it is the communication (real or imagined) with "famous" people that makes it so appealing."

I'm sure this is true for many twitter readers, but it's certainly not universally applicable. I might follow some famous people, but only ones who seem to be trying to write funny or smart stuff.

Re:Hmm

[CrazyJim1]

I got my job through Twitter. It is social networking. If you use it right, you meet new people.

Re:Hmm

[spectro]

Twitter is great for those of us with no writing talent: no need to post a whole blog about an idea we can explain in 140 characters or less

Re:Hmm

[dswensen]

Actually, being able to work within strict limitations -is- a pretty good indicator of talent. It's much easier to bloviate for paragraphs at a time without saying anything.

Re:Hmm

[mahadiga]

Nerds have attention span of only 140 characters.

Re:Hmm

[coryking]

Twitter is hardly mainstream. Out of a huge assortment of people I know, almost all of them, nerds or technophobes have a facebook account. I have only met one person who claims to use Twitter.

Twitter is pure, 100% hype. It is the most hyped ".com" I've seen since, well, the dot.com days. Seriously. Twitter is not mainstream in the least.

Re:Hmm

[MobileTatsu-NJG]

"Twitter is hardly mainstream.... It is the most hyped ".com" I've seen since, well, the dot.com days."

Heh. Seriously? It's more hyped than any .com and it's not mainstream?

Two billion tweets in a 3 month period? Every business and their mother advertising 'follow us on twitter!' The word 'tweet' being widely recognized by most Joe Schmoe's?

Okie doke. Not mainstream at all.

Again?

[Dragoniz3r]

You'd think people would've learned by now that you can't allow random strings of script in user-submitted data. Why is filtering this stuff out not part of standard input sanitization practices by now?

Re:Again?

[NevarMore]

What if its a tweet about programming in JavaScript?

Re:Again?

[Dragoniz3r]

Then you escape it so it displays, instead of executing... seriously... same way you handle < and > and all the other naughty characters

Re:Again?

[martas]

then force people to use escaped sequences. i.e. only display "computer.fuckUp()" at the very last step, in the ui. everywhere else it should be "computer\.fuckUp\(\)". [note: toy example. not actually claiming that '.' and parens should be escaped...]

Re:Again?

[Deag]

I think it is half solutions that are the problem. Allowing any sort of tags allows for adding script to various events and the like and even stripping them is quite difficult.
You either need to use a library that is proven to do this or escape all html.

Re:Again?

[cygnwolf]

So you sanitize it to display characters only instead of a script.

Re:Again?

[Jason+Levine]

Easy. If they escaped double-quotes (") to &quote; then this wouldn't happen because the code wouldn't be able to escape the href section of the link.

Re:Again?

[iLogiK]

From I could tell, the string looks something like this: http://example.com/#@"onmouseover=">"

my guess is this is come bug related to how they handle hashtags/user profile links

I think they're regularly running a script that takes out the # from the link from old tweets

Re:Again?

[somersault]

But what if they used.. single quotes!!?!?!?!?!?!?!?!?!?!!! *gasp* :0

Re:Again?

[somersault]

or the server could just convert < and > to &lt; and &gt; when it received a tweet, wouldn't that work to "escape all HTML"?

Re:Again?

[Deag]

That is one way of doing it, but if you have a requirement for rich text for example it complicates things. And the more control you are handing over to the user the more difficult it is to stop javascript sneaking in somewhere.

Re:Again?

[gpuk]

That's what he meant (i hope)

Re:Again?

[dkf]

But what if they used.. single quotes!!?!?!?!?!?!?!?!?!?!!! *gasp* :0

But what if attackers used single quotes too?

(Sheesh!)

Re:Again?

[somersault]

That's what I meant..

Re:Again?

[Mike+Da.+Kristopeit]

is your inability to not cower behind anonymity or provide any factual insight to any conversation some sort of hypocritical idiot thing, or are you genuinely ignorant?

you are NOTHING

Re:Again?

[iamvim]

nearly any method of escaping characters creates a longer string. this would most likely result in tweets to be longer than 140 characters. and as far as I know, that would result in the end of the internet as we know it.

Re:Again?

[Sigma+7]

It's quite possible to store the tweet in 140 characters, while just as easily as escaping sensitive characters on an HTML interface. It's called escaping on demand, and any library that deals with HTML should have that feature already.

Re:Again?

[Mike+Da.+Kristopeit]

how many CAN i have?

you are NOTHING

Re:Again?

[omnichad]

The server shouldn't really store HTML entities. You don't want to receive that junk in an XML API or to have to convert it for a non-HTML desktop client. You store the original and escape for display.

Re:Again?

[somersault]

Good point, that's actually how I already handle this type of situation in my own apps now that I think about it: escape HTML special chars and convert newlines to break tags on the way out, but leave the original text in the database.

Re:Again?

[TheSpoom]

Why is filtering this stuff out not part of standard input sanitization practices by now?

It is, I'd just guess that whoever is behind Twitter is not as competent as you might think.

Re:Again?

[Mike+Da.+Kristopeit]

for what it's worth, i knew you were a different AC.

you are NOTHING

Hosts file

[MidnightPsycho]

Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
Although the web interface is still broke. (The interface goes grey, and
any click still tries to go to the t.co web page)

Add this to your Hosts file:

0.0.0.0 t.co

Re:Hosts file

[bbtom]

That's not a great solution: because Twitter shortens lots of links through t.co - meaning you'll click on links on Twitter and go to 0.0.0.0

The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ ) until Twitter fixes the exploit.

Re:Hosts file

But as soon as they fix it, remove it from your hosts. t.co is Twitter's official shortener, so there will be more and more legit links using it.

Re:Hosts file

[MrHanky]

No. Some of the tweets use a different address.

Re:Hosts file

[MidnightPsycho]

Yeah - just saw one with "a.no" .....

Re:Hosts file

[The+MAZZTer]

Using NoScript or Google Chrome's Content Settings to block JavaScript on twitter.com is also an option, maybe. Not sure how well twitter.com works that way but onmouseover handlers won't run and AJAX won't work so this exploit is useless then.

Re:Hosts file

[SimonTheSoundMan]

Spoken to twitter on IRC. It is fixed. Going to take a while to propagate through the servers.

Re:Hosts file

[L4t3r4lu5]

Or don't use Twitter. Seriously.

Except for this thoroughly informative sentence, including the punctuation, nothing of any real import can be expressed in 140 characters...

Re:Hosts file

[The+MAZZTer]

That won't do anything. t.co is only used in order to trick twitter into creating an anchor tag, to which the onmouseover handler can be attached. Since you're on twitter.com the only place an AJAX call can be sent to retweet is... twitter.com. example.com can be used instead of t.co and the exploit would still work the same.

Re:Hosts file

[Jedi+Alec]

Actually, I'm having a lot of fun distilling what I want to say down to its bare essence in order to fit the 140 char space.

Then again, I mostly use twitter to see my elected officials make fun of each other(and egg 'm on a bit at times).

Re:Hosts file

[SimonTheSoundMan]

http://status.twitter.com/post/1161435117/xss-attack-identified-and-patched

Re:Hosts file

[asdfington]

The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ ) until Twitter fixes the exploit.

or simply retweet and lol.

Re:Hosts file

[Kristopeit,MichaelDa]

can you prove there isn't exploit potential in the m.twitter.com interface?

Re:Hosts file

[Thanshin]

nothing of any real import can be expressed in 140 characters...

"The bag is in locker #437. You'll find your fee and the target's dossier inside."
"The guy I was having fun with is dead in your kitchen and cops are coming. XOXOXO"
"Cut the red wire."
"Salutations earthlings. We come in peace."

Never used Twitter but 140 seems to be a lot. Maybe you're a bit too wordy.

"Dear Mr.Assassin. I've left the money, in $20 bills, inside big a black leather bag. The target data will be inside the bag that you'll find in locker #"

Re:Hosts file

[JustOK]

640K much?

Re:Hosts file

[tehcyder]

For all those things I think you'd be safer using a throwaway pay as you go mobile phone and texting the message (well, maybe not the aliens).

Obligatory xkcd

[labcoatless]

http://xkcd.com/327/

Re:Obligatory xkcd

[Kristopeit,MichaelDa]

obligatory you're an idiot...

the issue was with sanitizing database OUTPUT.

little bobby tables wouldn't even allow such a trivially basic error like this to make it's way onto production servers.

Re:Obligatory xkcd

[ledow]

Whichever way you look at it (input or output) no damn javascript should EVER make it into a tweet. Nobody but Twitter knows if that's because the tweet-input routines didn't filter it effectively, or because the tweet display routines allow you to see the javascript as actual markup instead of sanitised plain-text.

Either way, allowing JS scripts, HTML tags or anything NOT TEXT into a tweet means you didn't attend your first grade computer security courses. This isn't some massively complex hack - somehow javascript was not stripped or escaped adequately, allowing a single piece of it on the site to constantly be executed automatically by all users, and whose input was then accepted time and time again as a valid tweet without escaping it properly.

Someone should REALLY be fired. In fact, several people, because on a site that size there should damn-well be several programmers and several people running tests and checking for such things.

Re:Obligatory xkcd

[Kristopeit,MichaelDa]

it's such an obvious misstep, i have to believe it was intentional to make all their twits feel relieved that "the good folks at twitter fixed the virus"... they'll never know it was the incompetence of those same folks that the exploit existed in the first place

Re:Obligatory xkcd

[somersault]

Completely random aside, but in English even though you use 's to signify possession for nouns, instead of "it's", you actually write it "its".

Happy to help you sanitise your output ;)

Re:Obligatory xkcd

[Mike+Dav.+Kristopeit]

the very mistake the original poster made stems from the same procedural confusion which created the exploit potential.

continued ignorance is not humorous. it's ignorant.

Re:Obligatory xkcd

[labcoatless]

I apologize for offending you. Still, I disagree. In my opinion, the problem is as much about sanitizing input as about output, regardless of where the damage is done.

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

the sad part is, these exploit paths are pretty much everywhere... my coworkers and i used to have contests about who could get javascript executing on some arbitrary domain first while we had lunch... only stumped maybe a few times... almost never, with dozens and dozens of successes. of course our own domains were bulletproof. i'm still convinced perhaps we were the only developers at the time that respected the potential of the problem. now people are arguing against HTML5 because it does nothing to remove this very same potential for cross site attacks... and idiot developers would have you belief that is "an issue", when the real issue is idiot developers not doing anything to not be idiot developers.

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

you're still talking about input sanitation... further demonstrating my point that MOST DEVELOPERS DON'T UNDERSTAND THE DIFFERENCE.

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

sanitization of the sanitation.

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

so you're hypocritically tell me what i can find funny? look at you, you're still ignorantly responding attempting to silence someone.

the problem is lack of sanitization.

ur mum's face is the fucking idiot now.

Re:Obligatory xkcd

[Mike+Da.+Kristopeit]

ur mum's face can post any random link to xkcd and get modded up on slashdot

Additional details from Netcraft, Sophos

[1sockchuck]

There's more info on the spread of this exploit from Paul Mutton at Netcraft and Graham Cluely at Sophos.

Re:Additional details from Netcraft, Sophos

[Spykk]

Confirmed by Netcraft? Better start panicking.

Re:You mean...

[bbtom]

Yes, there are people who aren't total social media douchebags who use Twitter.

HootSuite uses ow.ly which for quite a long time wrapped links in a stupid 'social toolbar', a sort of crap Twitter version of the DiggBar. Horrible. If I go to someone's Twitter profile and see that they have mostly been posting from HootSuite, I conclude the same thing as when I see they use Outlook for their e-mail.

Here let me fix that for you

[hellfire]

...so it is recommended that you refrain from social media altogether.

There, fixed it for you.

Re:Here let me fix that for you

[Andrewkov]

So abstinence is the best way to avoid viruses?

Re:Here let me fix that for you

[socsoc]

Bah, beat me to it.

Also saw

[asdfington]

http://a.no/@"onmouseover=";$('textarea:first.val(this.innerHTML);$.('status-update-form.submit();"class="modal-overlay"/ which puts an overlay on the whole site, causing any mouseover to retweet. Personally I think this is pretty hilarious. If you mouse around a bunch you get something like this: http://i.imgur.com/qTPeK.png Yes I know you can see my acct. in the bg, I don't care; if it were private, why would I put it on twitter?

Now FIXED

[bbtom]

It is now FIXED.

http://twitter.com/delbius/status/25120366027

Re:Now FIXED

[mybecq]

The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.

about 1 hour ago via web
Retweeted by 100+ people

So, they tweeted that they had fixed a bug preventing unintended retweeting, and 100+ people have retweeted it?

pure shame.

[Kristopeit,MichaelDa]

a web application allowing users to output html that can alter layout, or javascript that can be executed is such a giant fail, that twitter should seriously consider firing the highest members of it's management staff responsible for code architecture review.

as is always the case, they'll claim it passed regression testing, so there was nothing they could do... but the simple fact is they failed at creating viable regression tests.

this is kindergarten CS stuff... these are the developers the big name outfits are hiring? do they work in the US? did anyone check their resumes?

this is pathetic

Refrain from using the internet

[faulteh]

until they fix twitter.

EVERYONE! Grab a shovel.. dig a hole in the sand and instruct the person next to you to put their head in the hole, now bury their heads in the sand. Everyone do the same! Wait... one person will have to be left behind.

This is a well orchestrated attack by twitter to highlight the need to move to their own in-house url shortener t.co instead of all those other pesky untrustworthy other url shorteners. However, on a funny note it's amazing how people will, nay, must click things, especially since it's been shortened into something meaningless. No way those links could be suspect, someone tweeted that... to me! it's ok, i'll just move my mouse over here... and exert some pressure on the left mouse button... oh cr*p what have i done? LOLCATS!

Keep the fear alive!

muted into a more sinister attack?

[Attila+Dimedici]

I'm confused as to how reducing the intensity of this exploit would make it more sinister. If anybody can give me an idea of how that would work, I would appreciate it.
Now on the other hand if this attack were to mutate I could see it easily becoming something that might be very disruptive for twits (those who use Twitter).

Re:muted into a more sinister attack?

[nwmann]

perhaps they mean making it less noticed and more destructive. therefore quiet or muted to us all the while racking up the damage.

Re:Easy solution

[Dragoniz3r]

I'm sorry, but 1994 called, and it wants its World Wide Web back. Interactive webpages are the future, they are actually really nice when they're done properly, and denying that is just holding you back. I expect that sooner or later secure programming mentalities will become deeply ingrained in Web programming, and things like this will stop happening. There will always be bugs, but that's no different from any other software.

NoScript is a much better solution than out-and-out disabling javascript anyways.

TLDR

[vlm]

If that was TLDR, heres my summary:

"... it is recommended that you ... refrain from social media altogether ..."

Works for me!

From TFS

[vegiVamp]

"refrain from social media altogether until the problem is resolved"

I've been doing exactly that, and intend on keeping to do that until the problem of Twitter has been resolved.

Re:From TFS

[wjousts]

But how will you know what your favorite celebrities are having for lunch?!?

Re:From TFS

[vegiVamp]

The hidden webcams I've mounted everywhere in their houses, of course.

mocking illiterate editors is too easy

[sribe]

This could easily be muted into a more sinister attack.

mute |myot|
verb [ trans. ]
1 (often be muted) deaden, muffle, or soften the sound of : her footsteps were muted by the thick carpet.
  muffle the sound of (a musical instrument), esp. by the use of a mute.
  figurative reduce the strength or intensity of : his professional contentment was muted by personal sadness.
2 turn off (the sound on a television, telephone, or other appliance) by activating the mute : he turns the set on, mutes the sound, but flicks through the channels.

mutate |myott|
verb
change or cause to change in form or nature : [ intrans. ] technology continues to mutate at an alarming rate | [ trans. ] the quick-dry solution really worked, even if it did mutate the skin on her fingers to reptilian scales.
  Biology (with reference to a cell, DNA molecule, etc.) undergo or cause to undergo change in a gene or genes : [ intrans. ] the virus is able to mutate into new forms that are immune to the vaccine | [ trans. ] certain nucleotides were mutated.

Re:mocking illiterate editors is too easy

[HaloZero]

You're entirely right, and that is an oversight on my part. I had originally mis-typed 'mutated' (mutaed?), and instead of spell-checking it to 'mutated', it went to 'muted'. I didn't realize until I saw it on the front page, and said 'Doh!'.

You got the idea, though.

Anyone want to seek it?

[AHuxley]

http://www.spy.appspot.com/ a "search" site for social media
Might be fun to note who is using in in ~ realtime.

Web Interface Exploit?

[andr00oo]

Exploit? I can't see that this is any worse than what the Twitter Web Interface (or any other Twitter interface) was designed to do.

Re:Easy solution

[Culture20]

1994 called, and it wants its World Wide Web back.

I called, and I want 1994's WWW back. No more "My entire website is in Flash!" No more drive-by downloads. No more web-apps that just write a static page when HTML would have sufficed. <blink>Just "Here's my Dog!" and "Work in Progress" signs.</blink>

Curing Retweet Viruses

[rakuen]

It seems this one has been fixed already, but if you get infected in the future, here's one way to fix it so you at least won't spread the plague too much. Other methods exist, but this is how you could do it if for some reason you only wanted to use Twitter's main webpages.

1) Make sure you've got a script-blocker, such as NoScript.
2) Disable scripts from Twitter and TwitImg (or whatever the image server is, I can't check it now).
3) Navigate to twitter.com/USERNAME#
4) Right now, you lack a lot of Twitter functionality, but the Undo button should still work. Click it.
5) Twitter should tell you it's attempting to undo. Wait a few moments, and then refresh.
6) Repeat 4 and 5 until you successfully cure yourself.
7) Don't use Twitter again until the exploit is fixed.
8) NOW you can restore your original settings.

wait, what?

[Son+of+Byrne]

This line just made me laugh:

or refrain from social media altogether

Sounds like health class again.

OWASP's Top Ten

[Temujin_12]

Every web developer should religiously study OWASP's Top Ten Most Critical Web Application Security Risks and be held accountable to it by their superiors.

Those who work with contractors should especially do this as I've found that contractors tend to have the worst habits when it comes to security.

Use a third party client? But they're broken

[IBBoard]

How can I use a 3rd party client when my favourite ones are broken and the ones that aren't broken a missing vital features for those who aren't on Twitter 24/7 (like Gwibber and its lack of scroll-back)? Curse you, OAuth deadline. Curse you!

Re:Easy solution

[tehcyder]

*sobs* who ever thought we'd be getting nostalgic for blink tags?

Re:Easy solution

[uncanny]

fine fine, i'm getting off your lawn, sheesh!

Random ID's

[neorush]

I've always coded most forms, especially login forms, with random form names / ID's. This stops most generic javascript based attacks. While you could certainly code easily enough to submit form 0 and change value of DOM object 1, it adds to the complexity of the whole exploit, and would have stopped any successful attempts at a hard coded getElementById().

Re:Easy solution

[djh2400]

Seriously, I don't get the anti-JavaScript mindset. From what I understand, however, it is only a small (and quite vocal) minority.

People who disable JavaScript should not expect to experience a working website (including Twitter).