Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Suffers Web Interface Exploit

Posted by CmdrTaco on from the they-meant-to-tweet-that dept.

HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."

32 of 165 comments (clear)

  1. First Post by Anonymous Coward · · Score: 5, Funny

    http://t.co/@"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/

    Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

    1. Re:First Post by blai · · Score: 5, Funny

      RT @Anonymous\ Coward http://t.co/@ [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/ Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

      --
      In soviet Russia, God creates you!
    2. Re:First Post by c6gunner · · Score: 2, Informative

      Easy. The "innerHTML" bit of the code gets the entire contents of the current element, and the rest of the code puts it into the input box and submits it. It's not "cheating" in any sense of the word. You might be having a hard time parsing the code because it's not exactly pure JavaScript - it's using jQuery.

  2. Or mobile by bbtom · · Score: 3, Informative

    If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/

    --
    catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
    1. Re:Or mobile by bbtom · · Score: 4, Funny

      The conditional word "if" was included for your convenience.

      --
      catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
    2. Re:Or mobile by JustOK · · Score: 2, Funny

      So, if he doesn't want to use the web interface, then is the mobile version affected or not?

      --
      rewriting history since 2109
    3. Re:Or mobile by Bonewalker · · Score: 2, Funny

      If a social media hub is infected with a virus and no one is around to mouse-over it, would it still make Slashdot's front page?

  3. Hmm by grub · · Score: 4, Insightful


    Why, again, should I be using Twitter?

    --
    Trolling is a art,
    1. Re:Hmm by MrHanky · · Score: 4, Funny

      It's the best, perhaps only way to automatically retweet. That's a fairly unique service.

    2. Re:Hmm by grub · · Score: 2, Funny

      Well, we're even. I had to google "shibboleth" :)

      Cheers!

      --
      Trolling is a art,
    3. Re:Hmm by tehcyder · · Score: 2, Interesting

      For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?

      In fact, I would say it is the communication (real or imagined) with "famous" people that makes it so appealing. When you lo into Film Star A's blog, you know you're just doing the equivalent of reading her diary. But when you get a tweet on your mobile phone, it's sort of like she's talking directly to you.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
    4. Re:Hmm by spectro · · Score: 2, Insightful

      Twitter is great for those of us with no writing talent: no need to post a whole blog about an idea we can explain in 140 characters or less

      --
      HTML is obsolete. It's time for a new, simpler and richer markup language.
    5. Re:Hmm by coryking · · Score: 2, Insightful

      Twitter is hardly mainstream. Out of a huge assortment of people I know, almost all of them, nerds or technophobes have a facebook account. I have only met one person who claims to use Twitter.

      Twitter is pure, 100% hype. It is the most hyped ".com" I've seen since, well, the dot.com days. Seriously. Twitter is not mainstream in the least.

  4. Again? by Dragoniz3r · · Score: 4, Insightful

    You'd think people would've learned by now that you can't allow random strings of script in user-submitted data. Why is filtering this stuff out not part of standard input sanitization practices by now?

  5. Hosts file by MidnightPsycho · · Score: 3, Informative

    Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
    Although the web interface is still broke. (The interface goes grey, and
    any click still tries to go to the t.co web page)

    Add this to your Hosts file:

    0.0.0.0 t.co

    1. Re:Hosts file by bbtom · · Score: 2, Informative

      That's not a great solution: because Twitter shortens lots of links through t.co - meaning you'll click on links on Twitter and go to 0.0.0.0

      The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ ) until Twitter fixes the exploit.

      --
      catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
    2. Re:Hosts file by Anonymous Coward · · Score: 2, Informative

      But as soon as they fix it, remove it from your hosts. t.co is Twitter's official shortener, so there will be more and more legit links using it.

    3. Re:Hosts file by L4t3r4lu5 · · Score: 3, Insightful

      Or don't use Twitter. Seriously.

      Except for this thoroughly informative sentence, including the punctuation, nothing of any real import can be expressed in 140 characters...

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    4. Re:Hosts file by SimonTheSoundMan · · Score: 2, Informative

      http://status.twitter.com/post/1161435117/xss-attack-identified-and-patched

    5. Re:Hosts file by Thanshin · · Score: 3, Funny

      nothing of any real import can be expressed in 140 characters...

      "The bag is in locker #437. You'll find your fee and the target's dossier inside."
      "The guy I was having fun with is dead in your kitchen and cops are coming. XOXOXO"
      "Cut the red wire."
      "Salutations earthlings. We come in peace."

      Never used Twitter but 140 seems to be a lot. Maybe you're a bit too wordy.

      "Dear Mr.Assassin. I've left the money, in $20 bills, inside big a black leather bag. The target data will be inside the bag that you'll find in locker #"

  6. Obligatory xkcd by labcoatless · · Score: 3, Funny

    http://xkcd.com/327/

    1. Re:Obligatory xkcd by Kristopeit,MichaelDa · · Score: 2, Informative
      obligatory you're an idiot...

      the issue was with sanitizing database OUTPUT.

      little bobby tables wouldn't even allow such a trivially basic error like this to make it's way onto production servers.

  7. Additional details from Netcraft, Sophos by 1sockchuck · · Score: 3, Informative

    There's more info on the spread of this exploit from Paul Mutton at Netcraft and Graham Cluely at Sophos.

  8. Also saw by asdfington · · Score: 2, Interesting

    http://a.no/@"onmouseover=";$('textarea:first.val(this.innerHTML);$.('status-update-form.submit();"class="modal-overlay"/ which puts an overlay on the whole site, causing any mouseover to retweet. Personally I think this is pretty hilarious. If you mouse around a bunch you get something like this: http://i.imgur.com/qTPeK.png Yes I know you can see my acct. in the bg, I don't care; if it were private, why would I put it on twitter?

  9. Now FIXED by bbtom · · Score: 3, Informative

    It is now FIXED.

    http://twitter.com/delbius/status/25120366027

    --
    catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
  10. Re:Easy solution by Dragoniz3r · · Score: 3, Funny

    I'm sorry, but 1994 called, and it wants its World Wide Web back. Interactive webpages are the future, they are actually really nice when they're done properly, and denying that is just holding you back. I expect that sooner or later secure programming mentalities will become deeply ingrained in Web programming, and things like this will stop happening. There will always be bugs, but that's no different from any other software.

    NoScript is a much better solution than out-and-out disabling javascript anyways.

  11. Re:Well by The+MAZZTer · · Score: 2, Informative

    Oh fun, the Chromed Bird extension for Chrome will happily inject onmouseover events into its popup HTML too. Good thing extensions are sandboxed.

  12. From TFS by vegiVamp · · Score: 3, Funny

    "refrain from social media altogether until the problem is resolved"

    I've been doing exactly that, and intend on keeping to do that until the problem of Twitter has been resolved.

    --
    What a depressingly stupid machine.
    1. Re:From TFS by vegiVamp · · Score: 2, Funny

      The hidden webcams I've mounted everywhere in their houses, of course.

      --
      What a depressingly stupid machine.
  13. mocking illiterate editors is too easy by sribe · · Score: 2, Informative

    This could easily be muted into a more sinister attack.

    mute |myot|
    verb [ trans. ]
    1 (often be muted) deaden, muffle, or soften the sound of : her footsteps were muted by the thick carpet.
      muffle the sound of (a musical instrument), esp. by the use of a mute.
      figurative reduce the strength or intensity of : his professional contentment was muted by personal sadness.
    2 turn off (the sound on a television, telephone, or other appliance) by activating the mute : he turns the set on, mutes the sound, but flicks through the channels.

    mutate |myott|
    verb
    change or cause to change in form or nature : [ intrans. ] technology continues to mutate at an alarming rate | [ trans. ] the quick-dry solution really worked, even if it did mutate the skin on her fingers to reptilian scales.
      Biology (with reference to a cell, DNA molecule, etc.) undergo or cause to undergo change in a gene or genes : [ intrans. ] the virus is able to mutate into new forms that are immune to the vaccine | [ trans. ] certain nucleotides were mutated.

  14. Re:Easy solution by Culture20 · · Score: 5, Insightful

    1994 called, and it wants its World Wide Web back.

    I called, and I want 1994's WWW back. No more "My entire website is in Flash!" No more drive-by downloads. No more web-apps that just write a static page when HTML would have sufficed. <blink>Just "Here's my Dog!" and "Work in Progress" signs.</blink>

  15. Re:Easy solution by tehcyder · · Score: 2, Interesting

    *sobs* who ever thought we'd be getting nostalgic for blink tags?

    --
    To have a right to do a thing is not at all the same as to be right in doing it