Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Security Social Networks

Twitter Suffers Web Interface Exploit 165

Posted by CmdrTaco
from the they-meant-to-tweet-that dept.
HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."
This discussion has been archived. No new comments can be posted.

Twitter Suffers Web Interface Exploit

Comments Filter:
  • First Post (Score:5, Funny)

    by Anonymous Coward on Tuesday September 21, 2010 @08:32AM (#33648718)

    http://t.co/@ [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/

    Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

    • by blai (1380673) on Tuesday September 21, 2010 @08:36AM (#33648776)
      RT @Anonymous\ Coward http://t.co/@ [t.co] [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/ Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.
    • by goombah99 (560566)

      How does this actually work? It's usually hard to write a program that can print itself out. And to do that in so few characters would be even harder. However it looks like this one is somehow cheating and asking the containing document to tell it it's own content. But I'm not a good java script programmer to understand it.

      • Re: (Score:3, Informative)

        by c6gunner (950153)

        Easy. The "innerHTML" bit of the code gets the entire contents of the current element, and the rest of the code puts it into the input box and submits it. It's not "cheating" in any sense of the word. You might be having a hard time parsing the code because it's not exactly pure JavaScript - it's using jQuery.

  • I'm sure glad all the tweets about this have the #mouseover hash tag so I can click on it in my client to open the twitter.com web interface and read about how I shouldn't use the twitter.com web interface.
    • Looks like any JS event for anchor tags can be used (I just made one using the sample seen in the article for an onclick handler that returns false).
    • Re: (Score:3, Informative)

      by The MAZZTer (911996)
      Oh fun, the Chromed Bird extension for Chrome will happily inject onmouseover events into its popup HTML too. Good thing extensions are sandboxed.
  • Or mobile (Score:4, Informative)

    by bbtom (581232) on Tuesday September 21, 2010 @08:33AM (#33648730) Homepage Journal

    If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/ [twitter.com]

  • Hmm (Score:4, Insightful)

    by grub (11606) <slashdot@grub.net> on Tuesday September 21, 2010 @08:34AM (#33648738) Homepage Journal

    Why, again, should I be using Twitter?
    • Re:Hmm (Score:5, Funny)

      by MrHanky (141717) on Tuesday September 21, 2010 @08:37AM (#33648778) Homepage Journal

      It's the best, perhaps only way to automatically retweet. That's a fairly unique service.

      • Can't really tell if that's a joke about the article, or whether that's actually meant to mean something useful. Doesn't really help answer his question either way..

    • by Pojut (1027544)

      I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.

      • by grub (11606)
        Yes, for that I agree, should have clarified and meant as a 'tweeter'.

        Still think I nailed it when I wrote "Twitter: the UDP of human conversation. -me" [slashdot.org]
        • by kisrael (134664)

          Ironically, your clever (and shibboleth-ish; I had to google UDP to make sure I got it) line about twitter is an excellent example of what twitter is excellent for, as a "tweeter" -- the sharing of an engaging twist of perspective.

          There's a lingering perception of twitter as a "what I'm having for dinner right now" kind of thing, but in practice that's a small fraction of the use of it (YMMV)-- conversely I would say Twitter's "right in the moment" aspect makes such talk a little more engaging and less bana

      • Re: (Score:2, Insightful)

        I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.

        But.. but.. but... it's mainstream! And mainstream stuff, especially things that require 'followers' or 'friends', is dumb and stupid and totally beneath us nerds! I prefer to use email and other less ideal solutions that this thing does elegantly!

        • Re: (Score:3, Insightful)

          by coryking (104614)

          Twitter is hardly mainstream. Out of a huge assortment of people I know, almost all of them, nerds or technophobes have a facebook account. I have only met one person who claims to use Twitter.

          Twitter is pure, 100% hype. It is the most hyped ".com" I've seen since, well, the dot.com days. Seriously. Twitter is not mainstream in the least.

          • "Twitter is hardly mainstream.... It is the most hyped ".com" I've seen since, well, the dot.com days."

            Heh. Seriously? It's more hyped than any .com and it's not mainstream?

            Two billion tweets in a 3 month period? Every business and their mother advertising 'follow us on twitter!' The word 'tweet' being widely recognized by most Joe Schmoe's?

            Okie doke. Not mainstream at all.

    • Re: (Score:2, Insightful)

      by kisrael (134664)

      I can't tell you why you should be using Twitter, but some of us have friends or know of folks online who are good at dropping the pithy bon mot, or find it a convenient way to announce things.

      Why again should you be using email? Or SMS txt'ing? Or slashdot?

      • by NotBorg (829820)

        Email? Meh, old news. Texting? Meh, newfangled. Slashdot? Ah Slashdot: You will never find a more wretched hive of scum and villainy. We must be cautious.

    • by AbRASiON (589899) *

      I have mod points, so it's really hard to decide if I should reply or just send your obvious bait into oblivion.
      Instead I'll bite though.

      I hated twitter when I first heard about it, I didn't 'get' it. Now, having used it - it's the most powerful communications tool I've ever seen, period.
      It's a perfect replacement to SMS, I can see if events are occuring internationally almost instantly, I can broadcast things to all or keep them private. It's an incredible tool for sharing information and frankly should

      • Re: (Score:3, Interesting)

        by tehcyder (746570)
        For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?

        In fact, I would say it is the communication (real or imagined) with "famous" people that makes it so appealing. When you lo into Film Star A's blog, you know you're just doing the equivalent of reading her diary. But when you get a tweet on your mobile phone, it's sort of like she's talking directly to you.
        • by kisrael (134664)

          "For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?"

          It's the one to many thing -- not "many" as in "countless hoards of fans", but many as in "a set of people I know in real life and who I've run into online" -- most people don't generate enough content to make a website worth coming back to on a daily or more basis, but amalgamated with a bunch of other people's thoughts, and now you've got something!

          Th

    • judging by the media, I'd say you're supposed to use twitter if you're ever in jail/kidnapped in a third world country. Then you'll be set free by a flashmob of justin berbers, only to discover you've just been punk'd.
    • by CrazyJim1 (809850)
      I got my job through Twitter. It is social networking. If you use it right, you meet new people.
    • Re: (Score:3, Insightful)

      by spectro (80839)

      Twitter is great for those of us with no writing talent: no need to post a whole blog about an idea we can explain in 140 characters or less

      • by dswensen (252552)

        Actually, being able to work within strict limitations -is- a pretty good indicator of talent. It's much easier to bloviate for paragraphs at a time without saying anything.

  • Again? (Score:5, Insightful)

    by Dragoniz3r (992309) on Tuesday September 21, 2010 @08:34AM (#33648748)
    You'd think people would've learned by now that you can't allow random strings of script in user-submitted data. Why is filtering this stuff out not part of standard input sanitization practices by now?
    • by NevarMore (248971)

      What if its a tweet about programming in JavaScript?

      • Then you escape it so it displays, instead of executing... seriously... same way you handle < and > and all the other naughty characters
      • by martas (1439879)
        then force people to use escaped sequences. i.e. only display "computer.fuckUp()" at the very last step, in the ui. everywhere else it should be "computer\.fuckUp\(\)". [note: toy example. not actually claiming that '.' and parens should be escaped...]
      • by cygnwolf (601176)
        So you sanitize it to display characters only instead of a script.
      • Easy. If they escaped double-quotes (") to &quote; then this wouldn't happen because the code wouldn't be able to escape the href section of the link.

    • by Deag (250823)

      I think it is half solutions that are the problem. Allowing any sort of tags allows for adding script to various events and the like and even stripping them is quite difficult.
      You either need to use a library that is proven to do this or escape all html.

      • or the server could just convert < and > to &lt; and &gt; when it received a tweet, wouldn't that work to "escape all HTML"?

        • by Deag (250823)

          That is one way of doing it, but if you have a requirement for rich text for example it complicates things. And the more control you are handing over to the user the more difficult it is to stop javascript sneaking in somewhere.

        • by omnichad (1198475)

          The server shouldn't really store HTML entities. You don't want to receive that junk in an XML API or to have to convert it for a non-HTML desktop client. You store the original and escape for display.

          • Good point, that's actually how I already handle this type of situation in my own apps now that I think about it: escape HTML special chars and convert newlines to break tags on the way out, but leave the original text in the database.

    • by iLogiK (878892)

      From I could tell, the string looks something like this: http://example.com/#@ [example.com]"onmouseover=">"

      my guess is this is come bug related to how they handle hashtags/user profile links

      I think they're regularly running a script that takes out the # from the link from old tweets

    • by TheSpoom (715771)

      Why is filtering this stuff out not part of standard input sanitization practices by now?

      It is, I'd just guess that whoever is behind Twitter is not as competent as you might think.

  • Hosts file (Score:3, Informative)

    by MidnightPsycho (827920) on Tuesday September 21, 2010 @08:35AM (#33648758)

    Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
    Although the web interface is still broke. (The interface goes grey, and
    any click still tries to go to the t.co web page)

    Add this to your Hosts file:

    0.0.0.0 t.co

    • Re: (Score:3, Informative)

      by bbtom (581232)

      That's not a great solution: because Twitter shortens lots of links through t.co - meaning you'll click on links on Twitter and go to 0.0.0.0

      The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ [twitter.com] ) until Twitter fixes the exploit.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      But as soon as they fix it, remove it from your hosts. t.co is Twitter's official shortener, so there will be more and more legit links using it.

    • by MrHanky (141717)

      No. Some of the tweets use a different address.

    • That won't do anything. t.co is only used in order to trick twitter into creating an anchor tag, to which the onmouseover handler can be attached. Since you're on twitter.com the only place an AJAX call can be sent to retweet is... twitter.com. example.com can be used instead of t.co and the exploit would still work the same.
  • by labcoatless (1902340) on Tuesday September 21, 2010 @08:38AM (#33648794)
    • Re: (Score:2, Informative)

      obligatory you're an idiot...

      the issue was with sanitizing database OUTPUT.

      little bobby tables wouldn't even allow such a trivially basic error like this to make it's way onto production servers.

      • by ledow (319597)

        Whichever way you look at it (input or output) no damn javascript should EVER make it into a tweet. Nobody but Twitter knows if that's because the tweet-input routines didn't filter it effectively, or because the tweet display routines allow you to see the javascript as actual markup instead of sanitised plain-text.

        Either way, allowing JS scripts, HTML tags or anything NOT TEXT into a tweet means you didn't attend your first grade computer security courses. This isn't some massively complex hack - somehow

      • Completely random aside, but in English even though you use 's to signify possession for nouns, instead of "it's", you actually write it "its".

        Happy to help you sanitise your output ;)

  • by 1sockchuck (826398) on Tuesday September 21, 2010 @08:38AM (#33648808) Homepage
    There's more info on the spread of this exploit from Paul Mutton at Netcraft [netcraft.com] and Graham Cluely at Sophos [sophos.com].
  • ...so it is recommended that you refrain from social media altogether.

    There, fixed it for you.

  • Also saw (Score:2, Interesting)

    by asdfington (1877976)
    http://a.no/@ [a.no]"onmouseover=";$('textarea:first.val(this.innerHTML);$.('status-update-form.submit();"class="modal-overlay"/ which puts an overlay on the whole site, causing any mouseover to retweet. Personally I think this is pretty hilarious. If you mouse around a bunch you get something like this: http://i.imgur.com/qTPeK.png [imgur.com] Yes I know you can see my acct. in the bg, I don't care; if it were private, why would I put it on twitter?
  • Now FIXED (Score:4, Informative)

    by bbtom (581232) on Tuesday September 21, 2010 @08:55AM (#33649074) Homepage Journal

    It is now FIXED.

    http://twitter.com/delbius/status/25120366027 [twitter.com]

    • by mybecq (131456)

      The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.

      about 1 hour ago via web
      Retweeted by 100+ people

      So, they tweeted that they had fixed a bug preventing unintended retweeting, and 100+ people have retweeted it?

  • a web application allowing users to output html that can alter layout, or javascript that can be executed is such a giant fail, that twitter should seriously consider firing the highest members of it's management staff responsible for code architecture review.

    as is always the case, they'll claim it passed regression testing, so there was nothing they could do... but the simple fact is they failed at creating viable regression tests.

    this is kindergarten CS stuff... these are the developers the big name out

  • until they fix twitter.

    EVERYONE! Grab a shovel.. dig a hole in the sand and instruct the person next to you to put their head in the hole, now bury their heads in the sand. Everyone do the same! Wait... one person will have to be left behind.

    This is a well orchestrated attack by twitter to highlight the need to move to their own in-house url shortener t.co instead of all those other pesky untrustworthy other url shorteners. However, on a funny note it's amazing how people will, nay, must click things, espec

  • I'm confused as to how reducing the intensity of this exploit would make it more sinister. If anybody can give me an idea of how that would work, I would appreciate it.
    Now on the other hand if this attack were to mutate I could see it easily becoming something that might be very disruptive for twits (those who use Twitter).
    • by nwmann (946016)
      perhaps they mean making it less noticed and more destructive. therefore quiet or muted to us all the while racking up the damage.
  • by vlm (69642)

    If that was TLDR, heres my summary:

    "... it is recommended that you ... refrain from social media altogether ..."

    Works for me!

  • From TFS (Score:4, Funny)

    by vegiVamp (518171) on Tuesday September 21, 2010 @09:25AM (#33649508) Homepage
    "refrain from social media altogether until the problem is resolved"

    I've been doing exactly that, and intend on keeping to do that until the problem of Twitter has been resolved.
  • by sribe (304414) on Tuesday September 21, 2010 @09:27AM (#33649538)

    This could easily be muted into a more sinister attack.

    mute |myot|
    verb [ trans. ]
    1 (often be muted) deaden, muffle, or soften the sound of : her footsteps were muted by the thick carpet.
      muffle the sound of (a musical instrument), esp. by the use of a mute.
      figurative reduce the strength or intensity of : his professional contentment was muted by personal sadness.
    2 turn off (the sound on a television, telephone, or other appliance) by activating the mute : he turns the set on, mutes the sound, but flicks through the channels.

    mutate |myott|
    verb
    change or cause to change in form or nature : [ intrans. ] technology continues to mutate at an alarming rate | [ trans. ] the quick-dry solution really worked, even if it did mutate the skin on her fingers to reptilian scales.
      Biology (with reference to a cell, DNA molecule, etc.) undergo or cause to undergo change in a gene or genes : [ intrans. ] the virus is able to mutate into new forms that are immune to the vaccine | [ trans. ] certain nucleotides were mutated.

    • by HaloZero (610207)
      You're entirely right, and that is an oversight on my part. I had originally mis-typed 'mutated' (mutaed?), and instead of spell-checking it to 'mutated', it went to 'muted'. I didn't realize until I saw it on the front page, and said 'Doh!'.

      You got the idea, though.
  • http://www.spy.appspot.com/ [appspot.com] a "search" site for social media
    Might be fun to note who is using in in ~ realtime.
  • Every web developer should religiously study OWASP's Top Ten Most Critical Web Application Security Risks [googlecode.com] and be held accountable to it by their superiors.

    Those who work with contractors should especially do this as I've found that contractors tend to have the worst habits when it comes to security.

  • How can I use a 3rd party client when my favourite ones are broken and the ones that aren't broken a missing vital features for those who aren't on Twitter 24/7 (like Gwibber and its lack of scroll-back)? Curse you, OAuth deadline. Curse you!

The biggest difference between time and space is that you can't reuse time. -- Merrick Furst

Working...