Twitter Suffers Web Interface Exploit

← Back to Stories (view on slashdot.org)

Twitter Suffers Web Interface Exploit

Posted by CmdrTaco on Tuesday September 21, 2010 @01:30AM from the they-meant-to-tweet-that dept.

HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."

16 of 165 comments (clear)

First Post by Anonymous Coward · 2010-09-21 01:32 · Score: 5, Funny

http://t.co/@"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/
Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.
1. Re:First Post by blai · 2010-09-21 01:36 · Score: 5, Funny
  
  RT @Anonymous\ Coward http://t.co/@ [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/ Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.
  
  --
  In soviet Russia, God creates you!
Or mobile by bbtom · 2010-09-21 01:33 · Score: 3, Informative

If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/

--
catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
1. Re:Or mobile by bbtom · 2010-09-21 02:01 · Score: 4, Funny
  
  The conditional word "if" was included for your convenience.
  
  --
  catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
Hmm by grub · 2010-09-21 01:34 · Score: 4, Insightful

Why, again, should I be using Twitter?

--
Trolling is a art,
1. Re:Hmm by MrHanky · 2010-09-21 01:37 · Score: 4, Funny
  
  It's the best, perhaps only way to automatically retweet. That's a fairly unique service.
Again? by Dragoniz3r · 2010-09-21 01:34 · Score: 4, Insightful

You'd think people would've learned by now that you can't allow random strings of script in user-submitted data. Why is filtering this stuff out not part of standard input sanitization practices by now?
Hosts file by MidnightPsycho · 2010-09-21 01:35 · Score: 3, Informative

Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
Although the web interface is still broke. (The interface goes grey, and
any click still tries to go to the t.co web page)
Add this to your Hosts file:
0.0.0.0 t.co
1. Re:Hosts file by L4t3r4lu5 · 2010-09-21 01:50 · Score: 3, Insightful
  
  Or don't use Twitter. Seriously.
  
  Except for this thoroughly informative sentence, including the punctuation, nothing of any real import can be expressed in 140 characters...
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
2. Re:Hosts file by Thanshin · 2010-09-21 02:08 · Score: 3, Funny
  
  nothing of any real import can be expressed in 140 characters...
  "The bag is in locker #437. You'll find your fee and the target's dossier inside."
  "The guy I was having fun with is dead in your kitchen and cops are coming. XOXOXO"
  "Cut the red wire."
  "Salutations earthlings. We come in peace."
  Never used Twitter but 140 seems to be a lot. Maybe you're a bit too wordy.
  "Dear Mr.Assassin. I've left the money, in $20 bills, inside big a black leather bag. The target data will be inside the bag that you'll find in locker #"
Obligatory xkcd by labcoatless · 2010-09-21 01:38 · Score: 3, Funny

http://xkcd.com/327/
Additional details from Netcraft, Sophos by 1sockchuck · 2010-09-21 01:38 · Score: 3, Informative

There's more info on the spread of this exploit from Paul Mutton at Netcraft and Graham Cluely at Sophos.
Now FIXED by bbtom · 2010-09-21 01:55 · Score: 3, Informative

It is now FIXED.
http://twitter.com/delbius/status/25120366027

--
catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
Re:Easy solution by Dragoniz3r · 2010-09-21 01:58 · Score: 3, Funny

I'm sorry, but 1994 called, and it wants its World Wide Web back. Interactive webpages are the future, they are actually really nice when they're done properly, and denying that is just holding you back. I expect that sooner or later secure programming mentalities will become deeply ingrained in Web programming, and things like this will stop happening. There will always be bugs, but that's no different from any other software.

NoScript is a much better solution than out-and-out disabling javascript anyways.
From TFS by vegiVamp · 2010-09-21 02:25 · Score: 3, Funny

"refrain from social media altogether until the problem is resolved"

I've been doing exactly that, and intend on keeping to do that until the problem of Twitter has been resolved.

--
What a depressingly stupid machine.
Re:Easy solution by Culture20 · 2010-09-21 02:32 · Score: 5, Insightful

1994 called, and it wants its World Wide Web back.
I called, and I want 1994's WWW back. No more "My entire website is in Flash!" No more drive-by downloads. No more web-apps that just write a static page when HTML would have sufficed. <blink>Just "Here's my Dog!" and "Work in Progress" signs.</blink>