Slashdot Mirror
Aussie Student Responsible For Twitter Exploit
bennyboy64 writes "An Australian teen has caused havoc on Twitter by discovering an exploit that hit thousands of users, including Barack Obama's press secretary, and resulted in the tweets of a former British PM's wife linking to hardcore porn, The Sydney Morning Herald reports. Pearce Delphin, who is studying his last year at high school, said that he was surprised that 'so many famous people got infected.'"
Got a great career ahead of him, if he wants...
The summary kind of makes it sound like he's a kid who was looking for exploits and then used it to make a virus. This doesn't seem to be the case at all. According to the TFA he saw some people using CSS in their twitter posts, and wondered if he could use HTML/JavaScript (as I would be too). He found he could, did some experimenting, and his followers then started doing it too and it went viral (the idea), and then some malicious people found it, and went viral (the code).
I assume no punishment is being leveraged against him, but I'm sure many will misunderstand what happened and call for it anyways. Curiosity should be encouraged.
The article says he is the one that discovered the exploit, but he did not create the script that made 'tweets of a former British PM's wife linking to hardcore porn'. Just to clarify.
Six degrees of Kevin Bacon pretty much ensures that famous people are going to get hit by the same kinds of malware that the rest of us have to deal with.
This is doubly true when the vector is a social networking site.
[Fuck Beta]
o0t!
It's their site, their code, and they set the rules.
He's not responsible for Twitter's bad coding but I would say he acted irresponsibly by toying around with it and exposing it to the public rather than reporting it directly to Twitter staff. If a vending machine malfunctions and lets you get candy out of it without paying, it isn't the customers fault the machine malfunctioned but it doesn't make it right to take the candy or tell everyone in earshot that the machine is giving out free candy. Not saying how I would behave in that situation, just that it wouldn't be right ;)
Account -> Discussions -> Disable Sigs
"so many famous people got infected."
I am not a vegetarian, but I get annoyed at people that proclaim "I am vegetarian. I only eat fish, cheese, and chicken."
Similarly, anyone who was exposed to the computer wrecking virus's of the 90's thru to 2002, know what "infection" really means. I am not a low level coder, only high level languages in a business environment, but I do wonder what some old skoolers must think when they read about a piece of HTML Javascript being described as "Infection". I am vegetarian, I will eat steak only if its well done.
In post Patriot Act America, the library books scan you.
After a "little bit of coding", he said he "managed to generate a dialog box containing the data from within the Twitter cookie file". He said "theoretically this could be used to maliciously steal users' account details".
They make it sound difficult to alert(document.cookie)...
But "the problem was being able to write code that can steal usernames and passwords while still remaining under Twitter's 140 character tweet limit", he said.
Ah, so the 140-character limit is actually beneficial in some sense!
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Dude, that's almost always an AND, not an XOR.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Well, the exploit uses JavaScript. This means that any browser that supports JavaScript does not provide some sort of NoScript facility that's installed and turned on by default would be vulnerable to the exploit.
Which means pretty much all of them.
But you can't even blame the browser; the security of Twitter's site belongs solely to Twitter and their crack website development staff.
My blog
He didn’t really fathom the extent of the exploit, though. He thought it was just a novel toy to pop up alert boxes when you moved the mouse over the tweet. (Well, he actually got the idea of trying to steal users’ session cookies, but didn’t find a way to do it within the 140-character limit.) The idea that really allowed it to go viral – posting a new tweet – was conceived by someone else.
Hell, I’ve done similar... “oh look, the layout of the page broke after I put a special char in that form element... I wonder if I can make it alert(document.cookie) using that? (sure enough) yup...” The main difference in this case is that (a) it was a massive social networking site and (b) other people could see his experiments and come up with their own little variations on the exploit, some of which were less benign than his experiments had been...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
please read the rest of TFA, not just that sentence.
He just discovered it but did not exploit it in a malicious way. It was others who did that. I don't think he needs any "defense" for doing an alert('uh oh');
He probably means that its their responsibility that others abused the exploit that he did NOT write.
This would be akin to running blind sql injection on websites, and using that as a defense when you got caught.
Little Bobby Tables strikes again. ;)
http://xkcd.com/327/
would you prefer it hadn't been found and exposed so it can be fixed?
or would you prefer that unknown criminals were the ones exploiting it fraudulently?
because with a latent bug like this, those are the choices.
"If still these truths be held to be
Self evident."
-Edna St. Vincent Millay
Since the fall of Adam.
Well, you did ask.
I just found that in search results, twitter appears to be still affected by this bug.
The video is still processing but should be up soon.
=================
Unix is very user friendly, it's just picky about who its friends are.
Fair enough that it probably seemed harmless what he was doing, but it was still a mistake to do it even if it was only apparent in retrospect. I'm not saying crucify him, just that he does bear some portion of the responsibility however big or small.
Account -> Discussions -> Disable Sigs
Reading comprehension fail.
"zzap appears to have discovered the vulnerability shortly after seeing RainbowTwtr's colourful use of CSS injection to display the colours of the rainbow."
He discovered *someone elses* use of the vulnerability. He then went on to make it more publicly known, and finally lamented the evil that was about to descend upon the twitterverse.
Your analogy has many flaws. Hackers do not enter your computer. Exploits are not typical methods of entry. Your home is not a service intentionally placed on the web for others to use. Let me see if I can fix it...
Suppose you post a mentally-handicapped guard at your castle gate. When you are gone, your enemy hands him a scroll with instructions and says "These are from your boss. He wants you to do them right away." The instructions tell him to ransack your bed-chamber and run your underwear up the flag-pole. The guard obeys. Who is to blame?
...Suppose you post a mentally-handicapped guard at your castle gate. When you are gone, your enemy hands him a scroll with instructions and says "These are from your boss. He wants you to do them right away." The instructions tell him to ransack your bed-chamber and run your underwear up the flag-pole. The guard obeys. Who is to blame?
Twitter.
Oh wait, Microsoft.
No... Google.
Ooooh, Terrorists. Almost had me there.
Right. No, your other right. No, the other other right.
He found the exploit... he didnt exploit anything. He is thusly not responsible at all. The mischievous users and twitter are the ones responsible.
This is exactly the kind of scenario I envisioned last week. This kid's intent wasn't malicious, but think of what a blackhat could do with the HTML5 ping attribute, directing many thousands of twitter users all hammering a single site (and url shortening sites go down as collateral damage) to death. It could originate from any social networking site.
The ping attribute needs to be dropped or considered much more carefully.
"The guy who discovered the exploit, or the coding process which allowed it?"
OH I know this one!!!
What is... the guy that discovered the exploit!
Because see, even though you discovered that the front door was left open it doesn't give you permission to go in. See how that works? Yeah I know it's very confusing, best just to not check if doors are open unless they're doors you own.
my karma will be here long after I'm gone
According to this article http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=da&tl=en&u=http%3A%2F%2Fpolitiken.dk%2Ftjek%2Fdigitalt%2F1065381%2Fnorsk-dreng-fik-twitter-i-knae%2F (google translated) it was a Norwegian boy who discovered the bug. Not that it really matters, I suppose...
"This kid did what exploit hunters do, release code to the internet knowing it can be used for criminal purposes."
According to that logic, if i stab you in the face, the guy who sold me the knife is responsible.
This kid did not do anything wrong. All he did was let people know about the bug.
car analogy:
All he did was put a flyer in your window saying that if you switch on the headlights and the radio at the same time, your car will explode. He is now responsible if somebody else uses that knowledge to blow up a lot of cars.
Death has been proven to be 99% fatal in lab rats.
Hmm.
Do you have what we in Texas call a drivers' license?
If you do, do you remember, in your first year or so of driving any stupid mistakes you made just because of your lack of experience?
Do you have you own home server exposed to the 'net? Have you scanned it with the vulnerability scanners available?
And so forth, without even trying to approach the damping effect on free speech that you are suggesting.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.