Twitter Suffers Web Interface Exploit 165
HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."
First Post (Score:5, Funny)
http://t.co/@ [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/
Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.
Re:First Post (Score:5, Funny)
Re: (Score:2)
Requires one word — "ROTFL".
Re: (Score:2)
Which one of the five words represented by that acronym [acronymfinder.com] are you referring to?
Re: (Score:2)
How does this actually work? It's usually hard to write a program that can print itself out. And to do that in so few characters would be even harder. However it looks like this one is somehow cheating and asking the containing document to tell it it's own content. But I'm not a good java script programmer to understand it.
Re: (Score:3, Informative)
Easy. The "innerHTML" bit of the code gets the entire contents of the current element, and the rest of the code puts it into the input box and submits it. It's not "cheating" in any sense of the word. You might be having a hard time parsing the code because it's not exactly pure JavaScript - it's using jQuery.
Re: (Score:2)
It's all a ruse. If someone tries to mod him down, he shall become more powerful than we could possibly imagine. Or at least, the script will start working :0
Re: (Score:2)
Naw. ACs have a short lifespan. They were made [wikipedia.org] that way. We need not concern ourselves with them unless they become dangerous.
What dangerous is should be obvious.
Re: (Score:2)
What dangerous is should be obvious.
Able to make their way up the basement stairs?
Well (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Or mobile (Score:4, Informative)
If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/ [twitter.com]
Re:Or mobile (Score:5, Funny)
The conditional word "if" was included for your convenience.
Re: (Score:3, Funny)
So, if he doesn't want to use the web interface, then is the mobile version affected or not?
Re: (Score:3, Funny)
Re: (Score:2)
question would be how many dupes would appear.
Hmm (Score:4, Insightful)
Why, again, should I be using Twitter?
Re:Hmm (Score:5, Funny)
It's the best, perhaps only way to automatically retweet. That's a fairly unique service.
Re: (Score:2)
Can't really tell if that's a joke about the article, or whether that's actually meant to mean something useful. Doesn't really help answer his question either way..
Re: (Score:2)
I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.
Re: (Score:1)
Still think I nailed it when I wrote "Twitter: the UDP of human conversation. -me" [slashdot.org]
Re: (Score:2)
Ironically, your clever (and shibboleth-ish; I had to google UDP to make sure I got it) line about twitter is an excellent example of what twitter is excellent for, as a "tweeter" -- the sharing of an engaging twist of perspective.
There's a lingering perception of twitter as a "what I'm having for dinner right now" kind of thing, but in practice that's a small fraction of the use of it (YMMV)-- conversely I would say Twitter's "right in the moment" aspect makes such talk a little more engaging and less bana
Re: (Score:2, Funny)
Cheers!
Re: (Score:1)
Re: (Score:2, Insightful)
I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.
But.. but.. but... it's mainstream! And mainstream stuff, especially things that require 'followers' or 'friends', is dumb and stupid and totally beneath us nerds! I prefer to use email and other less ideal solutions that this thing does elegantly!
Re: (Score:3, Insightful)
Twitter is hardly mainstream. Out of a huge assortment of people I know, almost all of them, nerds or technophobes have a facebook account. I have only met one person who claims to use Twitter.
Twitter is pure, 100% hype. It is the most hyped ".com" I've seen since, well, the dot.com days. Seriously. Twitter is not mainstream in the least.
Re: (Score:2)
"Twitter is hardly mainstream.... It is the most hyped ".com" I've seen since, well, the dot.com days."
Heh. Seriously? It's more hyped than any .com and it's not mainstream?
Two billion tweets in a 3 month period? Every business and their mother advertising 'follow us on twitter!' The word 'tweet' being widely recognized by most Joe Schmoe's?
Okie doke. Not mainstream at all.
Re: (Score:2, Insightful)
I can't tell you why you should be using Twitter, but some of us have friends or know of folks online who are good at dropping the pithy bon mot, or find it a convenient way to announce things.
Why again should you be using email? Or SMS txt'ing? Or slashdot?
Re: (Score:2)
Email? Meh, old news. Texting? Meh, newfangled. Slashdot? Ah Slashdot: You will never find a more wretched hive of scum and villainy. We must be cautious.
Re: (Score:2)
I have mod points, so it's really hard to decide if I should reply or just send your obvious bait into oblivion.
Instead I'll bite though.
I hated twitter when I first heard about it, I didn't 'get' it. Now, having used it - it's the most powerful communications tool I've ever seen, period.
It's a perfect replacement to SMS, I can see if events are occuring internationally almost instantly, I can broadcast things to all or keep them private. It's an incredible tool for sharing information and frankly should
Re: (Score:3, Interesting)
In fact, I would say it is the communication (real or imagined) with "famous" people that makes it so appealing. When you lo into Film Star A's blog, you know you're just doing the equivalent of reading her diary. But when you get a tweet on your mobile phone, it's sort of like she's talking directly to you.
Re: (Score:2)
"For personal one to one text communications I don't see how you can improve on texts/SMS, and for anything else what does twitter do that a web site can't?"
It's the one to many thing -- not "many" as in "countless hoards of fans", but many as in "a set of people I know in real life and who I've run into online" -- most people don't generate enough content to make a website worth coming back to on a daily or more basis, but amalgamated with a bunch of other people's thoughts, and now you've got something!
Th
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
Twitter is great for those of us with no writing talent: no need to post a whole blog about an idea we can explain in 140 characters or less
Re: (Score:2)
Actually, being able to work within strict limitations -is- a pretty good indicator of talent. It's much easier to bloviate for paragraphs at a time without saying anything.
Again? (Score:5, Insightful)
Re: (Score:2)
What if its a tweet about programming in JavaScript?
Re: (Score:2)
Re: (Score:2)
That's what he meant (i hope)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Easy. If they escaped double-quotes (") to "e; then this wouldn't happen because the code wouldn't be able to escape the href section of the link.
Re: (Score:2)
But what if they used.. single quotes!!?!?!?!?!?!?!?!?!?!!! *gasp* :0
Re: (Score:2)
But what if they used.. single quotes!!?!?!?!?!?!?!?!?!?!!! *gasp* :0
But what if attackers used single quotes too?
(Sheesh!)
Re: (Score:2)
That's what I meant..
Re: (Score:2)
I think it is half solutions that are the problem. Allowing any sort of tags allows for adding script to various events and the like and even stripping them is quite difficult.
You either need to use a library that is proven to do this or escape all html.
Re: (Score:2)
or the server could just convert < and > to < and > when it received a tweet, wouldn't that work to "escape all HTML"?
Re: (Score:2)
That is one way of doing it, but if you have a requirement for rich text for example it complicates things. And the more control you are handing over to the user the more difficult it is to stop javascript sneaking in somewhere.
Re: (Score:2)
The server shouldn't really store HTML entities. You don't want to receive that junk in an XML API or to have to convert it for a non-HTML desktop client. You store the original and escape for display.
Re: (Score:2)
Good point, that's actually how I already handle this type of situation in my own apps now that I think about it: escape HTML special chars and convert newlines to break tags on the way out, but leave the original text in the database.
Re: (Score:1)
From I could tell, the string looks something like this: http://example.com/#@ [example.com]"onmouseover=">"
my guess is this is come bug related to how they handle hashtags/user profile links
I think they're regularly running a script that takes out the # from the link from old tweets
Re: (Score:2)
Why is filtering this stuff out not part of standard input sanitization practices by now?
It is, I'd just guess that whoever is behind Twitter is not as competent as you might think.
Re: (Score:2)
It's quite possible to store the tweet in 140 characters, while just as easily as escaping sensitive characters on an HTML interface. It's called escaping on demand, and any library that deals with HTML should have that feature already.
Hosts file (Score:3, Informative)
Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
Although the web interface is still broke. (The interface goes grey, and
any click still tries to go to the t.co web page)
Add this to your Hosts file:
0.0.0.0 t.co
Re: (Score:3, Informative)
That's not a great solution: because Twitter shortens lots of links through t.co - meaning you'll click on links on Twitter and go to 0.0.0.0
The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ [twitter.com] ) until Twitter fixes the exploit.
Re: (Score:2)
Re:Hosts file (Score:4, Insightful)
Except for this thoroughly informative sentence, including the punctuation, nothing of any real import can be expressed in 140 characters...
Re: (Score:1)
Actually, I'm having a lot of fun distilling what I want to say down to its bare essence in order to fit the 140 char space.
Then again, I mostly use twitter to see my elected officials make fun of each other(and egg 'm on a bit at times).
Re:Hosts file (Score:4, Funny)
nothing of any real import can be expressed in 140 characters...
"The bag is in locker #437. You'll find your fee and the target's dossier inside."
"The guy I was having fun with is dead in your kitchen and cops are coming. XOXOXO"
"Cut the red wire."
"Salutations earthlings. We come in peace."
Never used Twitter but 140 seems to be a lot. Maybe you're a bit too wordy.
"Dear Mr.Assassin. I've left the money, in $20 bills, inside big a black leather bag. The target data will be inside the bag that you'll find in locker #"
Re: (Score:2)
Re: (Score:2)
640K much?
Re: (Score:2)
Spoken to twitter on IRC. It is fixed. Going to take a while to propagate through the servers.
Re: (Score:3, Informative)
http://status.twitter.com/post/1161435117/xss-attack-identified-and-patched [twitter.com]
Re: (Score:1)
The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ [twitter.com] ) until Twitter fixes the exploit.
or simply retweet and lol.
Re: (Score:1)
Re: (Score:2, Informative)
But as soon as they fix it, remove it from your hosts. t.co is Twitter's official shortener, so there will be more and more legit links using it.
Re: (Score:2)
No. Some of the tweets use a different address.
Re: (Score:1)
Re: (Score:2)
Obligatory xkcd (Score:3, Funny)
Re: (Score:2, Informative)
the issue was with sanitizing database OUTPUT.
little bobby tables wouldn't even allow such a trivially basic error like this to make it's way onto production servers.
Re: (Score:2)
Whichever way you look at it (input or output) no damn javascript should EVER make it into a tweet. Nobody but Twitter knows if that's because the tweet-input routines didn't filter it effectively, or because the tweet display routines allow you to see the javascript as actual markup instead of sanitised plain-text.
Either way, allowing JS scripts, HTML tags or anything NOT TEXT into a tweet means you didn't attend your first grade computer security courses. This isn't some massively complex hack - somehow
Re: (Score:2)
Completely random aside, but in English even though you use 's to signify possession for nouns, instead of "it's", you actually write it "its".
Happy to help you sanitise your output ;)
Additional details from Netcraft, Sophos (Score:4, Informative)
Re: (Score:2)
Here let me fix that for you (Score:2, Insightful)
...so it is recommended that you refrain from social media altogether.
There, fixed it for you.
Re: (Score:1)
So abstinence is the best way to avoid viruses?
Re: (Score:2)
Also saw (Score:2, Interesting)
Now FIXED (Score:4, Informative)
It is now FIXED.
http://twitter.com/delbius/status/25120366027 [twitter.com]
Re: (Score:2)
So, they tweeted that they had fixed a bug preventing unintended retweeting, and 100+ people have retweeted it?
pure shame. (Score:1)
as is always the case, they'll claim it passed regression testing, so there was nothing they could do... but the simple fact is they failed at creating viable regression tests.
this is kindergarten CS stuff... these are the developers the big name out
Refrain from using the internet (Score:1)
until they fix twitter.
EVERYONE! Grab a shovel.. dig a hole in the sand and instruct the person next to you to put their head in the hole, now bury their heads in the sand. Everyone do the same! Wait... one person will have to be left behind.
This is a well orchestrated attack by twitter to highlight the need to move to their own in-house url shortener t.co instead of all those other pesky untrustworthy other url shorteners. However, on a funny note it's amazing how people will, nay, must click things, espec
muted into a more sinister attack? (Score:2)
Now on the other hand if this attack were to mutate I could see it easily becoming something that might be very disruptive for twits (those who use Twitter).
Re: (Score:1)
TLDR (Score:2)
If that was TLDR, heres my summary:
"... it is recommended that you ... refrain from social media altogether ..."
Works for me!
From TFS (Score:4, Funny)
I've been doing exactly that, and intend on keeping to do that until the problem of Twitter has been resolved.
Re: (Score:2)
Re: (Score:3, Funny)
mocking illiterate editors is too easy (Score:3, Informative)
This could easily be muted into a more sinister attack.
mute |myot|
verb [ trans. ]
1 (often be muted) deaden, muffle, or soften the sound of : her footsteps were muted by the thick carpet.
muffle the sound of (a musical instrument), esp. by the use of a mute.
figurative reduce the strength or intensity of : his professional contentment was muted by personal sadness.
2 turn off (the sound on a television, telephone, or other appliance) by activating the mute : he turns the set on, mutes the sound, but flicks through the channels.
mutate |myott|
verb
change or cause to change in form or nature : [ intrans. ] technology continues to mutate at an alarming rate | [ trans. ] the quick-dry solution really worked, even if it did mutate the skin on her fingers to reptilian scales.
Biology (with reference to a cell, DNA molecule, etc.) undergo or cause to undergo change in a gene or genes : [ intrans. ] the virus is able to mutate into new forms that are immune to the vaccine | [ trans. ] certain nucleotides were mutated.
Re: (Score:2)
You got the idea, though.
Anyone want to seek it? (Score:2)
Might be fun to note who is using in in ~ realtime.
OWASP's Top Ten (Score:2)
Every web developer should religiously study OWASP's Top Ten Most Critical Web Application Security Risks [googlecode.com] and be held accountable to it by their superiors.
Those who work with contractors should especially do this as I've found that contractors tend to have the worst habits when it comes to security.
Use a third party client? But they're broken (Score:2)
How can I use a 3rd party client when my favourite ones are broken and the ones that aren't broken a missing vital features for those who aren't on Twitter 24/7 (like Gwibber and its lack of scroll-back)? Curse you, OAuth deadline. Curse you!
Re: (Score:2)
Yes, there are people who aren't total social media douchebags who use Twitter.
HootSuite uses ow.ly which for quite a long time wrapped links in a stupid 'social toolbar', a sort of crap Twitter version of the DiggBar. Horrible. If I go to someone's Twitter profile and see that they have mostly been posting from HootSuite, I conclude the same thing as when I see they use Outlook for their e-mail.
Re:Easy solution (Score:4, Funny)
NoScript is a much better solution than out-and-out disabling javascript anyways.
Re:Easy solution (Score:5, Insightful)
1994 called, and it wants its World Wide Web back.
I called, and I want 1994's WWW back. No more "My entire website is in Flash!" No more drive-by downloads. No more web-apps that just write a static page when HTML would have sufficed. <blink>Just "Here's my Dog!" and "Work in Progress" signs.</blink>
Re: (Score:3, Interesting)