Twitter Closes Hole After Attack Hits Up To 500K Users

chicksdaddy writes "Twitter closed an ugly cross site scripting hole in its Web page Tuesday morning, but not until a fast moving attack, including at least two Twitter worms, compromised hundreds of thousands of user accounts. At its height, the attacks were hitting 100 Twitter users each second, putting estimates of the total number of victims at around 500,000 according to researchers at Kaspersky Lab."

Seriously

How complicated is it to write somewhat secure software that processes 140 character messages?

Re:Seriously

[lennier]

"and add features nobody wants" going by the demand for url shortening services, TwitPic, TwitVid, etc, etc. It's obvious there is demand for new features.

And presumably the top of those features would be "allow messages larger than 140 characters so that we can just post the actual URL".

With a few billion dollars and about 40 years worth of solid development, Twitter might eventually turn into some sort of simple transfer protocol for multipurpose Internet mail...

Re:Seriously

[cyclomedia]

Alternatively as they're happy to expand the tweet metadata to include Location, Date, Time, Platform and Color-Of-Socks why not add an extra field to contain an optional Link. The link would not be printed onscreen, instead there would just be a Link icon if the tweet contained a link and the 140 characters would then still be free to describe what the link is linking to

Re:Interesting, yet pointless

[stepdown]

I treat it more as an RSS feed. A lot of people use it to link to full articles, and as a means of just sharing links to information it's great.

Re:Interesting, yet pointless

Yet, you read and post Slashdot comments.

dupe

This was covered in the original post this morning. Nothing new in FTA versus the comments in the other one...

Re:Interesting, yet pointless

[Abstrackt]

Yet, you read and post Slashdot comments.

It's no fun complaining about something if no one sees or hears you doing it.

I have a theory that this is also why Facebook and Twitter have gained so much popularity. Half the updates I see on either are complaints about work, chores, some person who won't be named but must be publicly called out on some unspecified charge and/or the weather.

Re:Interesting, yet pointless

No, I don't use Twitter. Yes, I see the point of using Twitter. No, I don't go around telling people how great life is without Twitter.

I'm sure that there are thousands of fantastic services out there, both on the internet and IRL, for which I have no use, and loads of great services for which I can't even envisage a practical use.

Another thing; your own viewpoints aren't the only ones and likely to be incorrect or incomplete when thoroughly scrutinized. Deal with it.

Re:Interesting, yet pointless

[MobileTatsu-NJG]

Is it really better than reading a well thought out and reasoned article about something?

I like how you ask this on a site that routinely uses the term "RTFA".

Re:Interesting, yet pointless

[Pecisk]

While Twitter is not Jack Of All Trades as Facebook claims to be for example, it is very useful tool for information freaks. It really is useful IF used properly - or complete waste of time if not. I use it to get info about lot of interesting things which I would miss otherwise. No, I don't use it for 'OMG Radiohead rulles'. I also use it for spreading information which can be interesting for others too.

In fact Twitter IS micro blogging, so in nutshell, it has mostly those same strengths and weaknesses as normal blogging. However, it is much easier to just write small message than compose entire blog entry. So you can state a fact about traffic on road. Or result in sports game. Or anything what happens, you witnessing it and want to spread message quickly. It feels and works like sms network.

So, again, it really depends how do you use this tool. Some companies use it to get fast and quick communication with clients when needed. They follow filters and tags and react if there is a problem.

Re:Interesting, yet pointless

[metamatic]

Actually, no, as a means of just sharing links to information it sucks, because you generally can't fit URLs and useful description into 140 characters--so you either have to skip describing the thing you're linking to, or you have to obfuscate the URL through a redirection service.

Facebook, delicious.com, Tumblr etc are much better ways of sharing links to information.

Re:Interesting, yet pointless

[dotgain]

Never happened to me once. Probably got something to do with not following idiots who post such links.

Why all the hate?

[inanet]

I really don't get the twitter hate.

I don't like facebook, but I can see its value, particularly if you manage it right and use it to share news and photos with friends and family etc. there are other valuable uses, but I use the example.

I still dont use it.

I don't use bebo, or myspace, or facepalm or crotchpunch.

Doesn't mean I have to hate on them.

I use twitter in much the same way other people have mentioned. I don't follow twitter shitters. (people who tweet constantly about inane shite) But I do follow people who provide interesting information, along with people I know and a range of news sites from aljazeera to bbc, to the NZ news site stuff, to Scientific american, and a range of others!

I follow a range of people, and I Find twitter useful because i can fire up my smartphone, pull up my twitter client and get a "snapshot of the world" and that's really what it is, any big news event happens, anywhere in the world I would probably put money on the fact I'll hear about it before anyone who isn't on twitter and isn't directly affected.
XKCD did a great comic about how people could hear about an earthquake via twitter before the actual shockwaves hit them.
but in short, if you don't want to use twitter, then don't, but all that your raging anti-twitter stance says is "I tried twitter but nobody followed me back"
so obviously you had nothing to add, therefore thank you for not using the service, you've increased its value already!

Re:Why all the hate?

[apoc.famine]

I had this discussion over some beers with some like-minded friends recently. What we settled on was, "When does it stop?"

BBS, finger, chat, IRC, email, IMs of 90 flavors, pagers, forums, MySpace, texting, LiveJournal, Blogs, Facebook, Twitter, LinkedIN, etc...

I think the Twitter hate is because you are hanging around the demographic that's largely filled its quota for "new shit that I have to keep track of". Add in our games, RSS feeds, slashdot, comics, etc., and we've filled our time on the internet. We either have to start purging old methods of communication and old pastimes, or we can't start new ones.

Right now, there's a large number of us who have thriving communities in enough places that we're not interested in another. It's not just Twitter - that's just the one that we're being pushed the hardest to adopt. And for a lot of us, Twitter doesn't hold a draw. I'm sure you've found some reasons to adopt it. But I don't have time for it. I'm full up.

Yet here you are, blathering on about how you use Twitter for so many things, how useful it is, blah blah blah.

Does it make any more sense now why the Twitter hate? We don't care already. Shut up about it. Some of us aren't about to give up something else for Twitter, and we'd need to in order to pay attention to it.

Our information bandwidth has been exceeded.

The sooner you and everyone else stops rambling on about The Next Big Thing On The Internet, the sooner we'll stop hating it.

(For the record, I came here to find technical details about the XSS, for although I don't care about Twitter, the details are important in the grand context of the internet. I just figured since you hadn't figured it out yet, I'd stop and point out why a lot of us hate Twitter. And your post which had nothing to do with the details of this attack is a prime example. We get it. You want to make passionate love to Twitter and have its babies. Yet you come to an article about a hack job, and instead of posting anything interesting about the technical aspects, you post a totally unrelated bit of flamebait about "Twitter Hate". That's why we hate Twitter. People doing what you just did. So if it bothers you that we hate your exciting new lover, stop posting shit about your love for Twitter when it's entirely inappropriate.)

Re:Interesting, yet pointless

[lennier]

Because someone always changes an email, or someone gets all spam-infected and spews to the whole list or whatever and you have bounces, etc.
A twitter feed is just dead simple. It's also nice for quick updates; I couldn't make the game, but the captain tweeted a 5-2 win immediately after, so I got to see it.
It's incredibly nice; no need to visit a webpage or check your email or whatever, it's in a little app that everyone has on their phone or computer or whatever.

All these things are sensible, but I have two major questions:
1. Why isn't something this widely useful (publish/subscribe messaging) a protocol - logically, an SMTP extension - rather than a proprietary web application?
2. Why does it have to be limited to 140 characters? People who want publish/subscribe also want to send arbitrary files to all their friends, not just tiny snippets which can't even store a Web-standard URL. Since most people on mobile devices now use data services, there seems to be no reason to hamstring serious computer users just to keep up compatibility with a broken historical text-messaging limit.

Pub/sub and microblogging are two orthogonal technologies. Rather, channel-oriented pub/sub is a distribution model (solving the nightmare of managing mailing lists), and microblogging is an application. We should not tie the pub/sub distribution model myopically to the microblogging application. Twitter (and Facebook) both seem to be very obviously The Right Thing To Do but equally obviously The Wrong Way To Do It . So when does the Right Thing appear?

Have we so soon forgotten that what make the Web work was open distributed free-to-implement standards?