Twitter Suffers Web Interface Exploit

HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."

First Post

http://t.co/@"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/

Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Re:First Post

[blai]

RT @Anonymous\ Coward http://t.co/@ [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/ Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Hmm

[grub]

Why, again, should I be using Twitter?

Re:Hmm

[MrHanky]

It's the best, perhaps only way to automatically retweet. That's a fairly unique service.

Again?

[Dragoniz3r]

You'd think people would've learned by now that you can't allow random strings of script in user-submitted data. Why is filtering this stuff out not part of standard input sanitization practices by now?

Re:Or mobile

[bbtom]

The conditional word "if" was included for your convenience.

Re:Easy solution

[Culture20]

1994 called, and it wants its World Wide Web back.

I called, and I want 1994's WWW back. No more "My entire website is in Flash!" No more drive-by downloads. No more web-apps that just write a static page when HTML would have sufficed. <blink>Just "Here's my Dog!" and "Work in Progress" signs.</blink>