Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Closes Hole After Attack Hits Up To 500K Users

Posted by CmdrTaco on from the hate-when-that-happens dept.

chicksdaddy writes "Twitter closed an ugly cross site scripting hole in its Web page Tuesday morning, but not until a fast moving attack, including at least two Twitter worms, compromised hundreds of thousands of user accounts. At its height, the attacks were hitting 100 Twitter users each second, putting estimates of the total number of victims at around 500,000 according to researchers at Kaspersky Lab."

5 of 135 comments (clear)

  1. Re:Interesting, yet pointless by Anonymous Coward · · Score: 5, Informative

    That's not the point. Microblogging isn't blogging. Look, here's some people I follow on twitter

    1) Wikleaks - they announce new leaks and news articles about em
    2) Bands, e.g. Oceansize tweeted "People of York, be warned we are likely to be opening the doors late. There are fucktonne of problems with this venue.". 65dos also just released a free track!
    3) Comedy stuff, e.g. the chilean_miner account: "Another troubled night. Ramon was mining in his sleep again" or Jesus_M_Christ: "Mesus Christ, I got hacked? I knew it was a mistake to mouseover a link on Judas' Twitter page."
    4) Friends, who talk about their daily lives (these things interest me)
    5) Work collegues, to see what conferences they're at and what they're working on
    6) Stuff to do with the societies I'm in at uni, like student robotics organising get-togethers and pub trips.

    Try it. Follow your favourite authors, musicians, websites and so forth. It's like a huge aggregated RSS feed with stuff that isn't normally syndicated included.

  2. Re:Seriously by psyclone · · Score: 2, Informative

    Uh, how hard is it NOT to escape your output?

    Maybe it's difficult to sanitize all of your input, fine. So simply escape it properly on output.

    It's the same thing with SQL injection mitigation: simply use prepared statements and you don't need to worry about the user's input. (Mostly)

  3. noscript by bhcompy · · Score: 2, Informative

    And this is why I use NoScript. Sweet, sweet XSS protection with large, annoying warning when you come across one.

  4. Re:Interesting, yet pointless by lennier · · Score: 3, Informative

    Oh come on. Twitter clients like Tweetdeck automatically shorten links that you paste into them.

    Thereby destroying the name-referentiality of the Web, so as soon as one of those URL-shortener services goes out of business, poof, all the links in saved messages evaporate.

    Tim Berners-Lee cries!

    --
    You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  5. Re:Seriously by Idiomatick · · Score: 2, Informative

    http://htmlpurifier.org/ ? I mean twitter devs could Google the problem I guess.

    And it isn't twitter's first security problem.