Slashdot Mirror
Aussie Student Responsible For Twitter Exploit
bennyboy64 writes "An Australian teen has caused havoc on Twitter by discovering an exploit that hit thousands of users, including Barack Obama's press secretary, and resulted in the tweets of a former British PM's wife linking to hardcore porn, The Sydney Morning Herald reports. Pearce Delphin, who is studying his last year at high school, said that he was surprised that 'so many famous people got infected.'"
The summary kind of makes it sound like he's a kid who was looking for exploits and then used it to make a virus. This doesn't seem to be the case at all. According to the TFA he saw some people using CSS in their twitter posts, and wondered if he could use HTML/JavaScript (as I would be too). He found he could, did some experimenting, and his followers then started doing it too and it went viral (the idea), and then some malicious people found it, and went viral (the code).
I assume no punishment is being leveraged against him, but I'm sure many will misunderstand what happened and call for it anyways. Curiosity should be encouraged.
The article says he is the one that discovered the exploit, but he did not create the script that made 'tweets of a former British PM's wife linking to hardcore porn'. Just to clarify.
Six degrees of Kevin Bacon pretty much ensures that famous people are going to get hit by the same kinds of malware that the rest of us have to deal with.
This is doubly true when the vector is a social networking site.
[Fuck Beta]
o0t!
"so many famous people got infected."
I am not a vegetarian, but I get annoyed at people that proclaim "I am vegetarian. I only eat fish, cheese, and chicken."
Similarly, anyone who was exposed to the computer wrecking virus's of the 90's thru to 2002, know what "infection" really means. I am not a low level coder, only high level languages in a business environment, but I do wonder what some old skoolers must think when they read about a piece of HTML Javascript being described as "Infection". I am vegetarian, I will eat steak only if its well done.
In post Patriot Act America, the library books scan you.
After a "little bit of coding", he said he "managed to generate a dialog box containing the data from within the Twitter cookie file". He said "theoretically this could be used to maliciously steal users' account details".
They make it sound difficult to alert(document.cookie)...
But "the problem was being able to write code that can steal usernames and passwords while still remaining under Twitter's 140 character tweet limit", he said.
Ah, so the 140-character limit is actually beneficial in some sense!
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Dude, that's almost always an AND, not an XOR.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
He didn’t really fathom the extent of the exploit, though. He thought it was just a novel toy to pop up alert boxes when you moved the mouse over the tweet. (Well, he actually got the idea of trying to steal users’ session cookies, but didn’t find a way to do it within the 140-character limit.) The idea that really allowed it to go viral – posting a new tweet – was conceived by someone else.
Hell, I’ve done similar... “oh look, the layout of the page broke after I put a special char in that form element... I wonder if I can make it alert(document.cookie) using that? (sure enough) yup...” The main difference in this case is that (a) it was a massive social networking site and (b) other people could see his experiments and come up with their own little variations on the exploit, some of which were less benign than his experiments had been...
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Since the fall of Adam.
Well, you did ask.
Reading comprehension fail.
"zzap appears to have discovered the vulnerability shortly after seeing RainbowTwtr's colourful use of CSS injection to display the colours of the rainbow."
He discovered *someone elses* use of the vulnerability. He then went on to make it more publicly known, and finally lamented the evil that was about to descend upon the twitterverse.
Your analogy has many flaws. Hackers do not enter your computer. Exploits are not typical methods of entry. Your home is not a service intentionally placed on the web for others to use. Let me see if I can fix it...
Suppose you post a mentally-handicapped guard at your castle gate. When you are gone, your enemy hands him a scroll with instructions and says "These are from your boss. He wants you to do them right away." The instructions tell him to ransack your bed-chamber and run your underwear up the flag-pole. The guard obeys. Who is to blame?
...Suppose you post a mentally-handicapped guard at your castle gate. When you are gone, your enemy hands him a scroll with instructions and says "These are from your boss. He wants you to do them right away." The instructions tell him to ransack your bed-chamber and run your underwear up the flag-pole. The guard obeys. Who is to blame?
Twitter.
Oh wait, Microsoft.
No... Google.
Ooooh, Terrorists. Almost had me there.
Right. No, your other right. No, the other other right.
This is exactly the kind of scenario I envisioned last week. This kid's intent wasn't malicious, but think of what a blackhat could do with the HTML5 ping attribute, directing many thousands of twitter users all hammering a single site (and url shortening sites go down as collateral damage) to death. It could originate from any social networking site.
The ping attribute needs to be dropped or considered much more carefully.
The 1980s called. They want their curiosity back, you terrorist sympathizer!