Back to the articleTinyURL have pulled the link #
Posted Friday 20th March 2009 07:08 GMT
Surprising really. They didn't nuke the phpinfo() thing for yonks (have they even done it yet?) but they yanked that URL in a matter of hours. Funny, eh?
Flaw makes Twitter vulnerable to serious viral attack
Why am I not surprised, nor am I getting worked up about it...? #
Posted Friday 20th March 2009 04:38 GMT
I mean, c'mon, people...after all, what _are_ the first four letters in "Twitter"...?
Thankyuh, thankyuhvurymuch.
It's just a XSS issue. #
Posted Friday 20th March 2009 07:08 GMT
Send an email to security@twitter.com and move on. I hate white-hat sensationalists.
@Dan G #
Posted Friday 20th March 2009 07:08 GMT
"Flaw makes Twitter vulnerable to serious viral attack"
Twitter and the like (facebook, myspace, youtube, et alii) ARE serious viral attacks. That's why they are blocked at the boarder routers for all the companies I consult for ...
@ Jake #
Posted Friday 20th March 2009 10:43 GMT
Surley you know that blocking access to these sites is a breach of employees human rights. Youll be telling me next that you expect them to turn up on time.......
@Jake #
Posted Friday 20th March 2009 10:43 GMT
Blocked at the routers? By IP? That's not really going to work if anyone uses a public proxy server, is it?
Viruses are best dealt with by A/V and IDS, not IP blocking. So you block YouTube. Great. What about somerussiansite.ru, which is linked off a Google search?
seen this before? #
Posted Friday 20th March 2009 10:43 GMT
Brilliant.. I can see the messages now...
I've been biten by a vampire.. http:\\tinyurl.com/biteme
this could be self propegating via followers..
its not the end of the world though...
It's just XSS #
Posted Friday 20th March 2009 10:59 GMT
Please don't dismiss XSS as a trivial non-event. If you're a bank (are there still any banks?) it's pretty serious. Even if you just require a logon before letting customers download your PDF brochures, you may still be revealing their passwords - and if they use the same passwords for other apps, like 90% of users ...
At the very least you make your organisation look incompetent - the commercial cost of that only you can decide. And where there's an XSS vulnerability, can SQL Injection be far behind?
@DanG: "boarder routers", I think I'll use this alternative spelling from now on.
<insert obligatory "arr-harr, standy by me buckos" comment here>
Noscript. #
Posted Friday 20th March 2009 10:59 GMT
Noscript, noscript, noscript, noscript
That is all.
Viewing Short Urls #
Posted Friday 20th March 2009 15:45 GMT
Or you could use a service like Tweetree.com to view your Twitter stream. Tweetree follows through all the short urls and pulls in their final destination and page title so you know what to expect before clicking on it.
@AC 09:43, Chris, David, #
Posted Friday 20th March 2009 21:28 GMT
AC: You seem to think I'm talking about toy operating systems ... I mean, seriously, A/V software? WTF? My exact methodology is unimportant. It works. Many other sysadmins do similar. Yes, it could loosely be called "IDS". Using proxies to get around the blocks is a firing offense, even though the attempt would probably be unsuccessful. Remember, these are WORK machines, not toys at home.
Chris: It was late. Mea culpa :-)
David: Most people don't understand that company computers belong to the shareholders, not the workers using the machines ...
How '1990s' #
Posted Friday 20th March 2009 21:28 GMT
"A Twitter representative has yet to return our email."
Because email is _so_ Web-1.0
@AC 19:24 #
Posted Saturday 21st March 2009 01:34 GMT
""A Twitter representative has yet to return our email."
Because email is _so_ Web-1.0"
THAT, my friends, is one of the problems with the Web2.0 crowd. They have absolutely no concept of the history & inner workings of teh intratubes. As a hint to the AC, I was sending and receiving "email" back in the late 70s. From home. Long before the Web existed. For our current standard's roots, metacrawler RFC 821, published in 1982.
We had instant messaging in the late '70s, too. metacrawler "talk +UNIX" ... Kids these days!
Sign up, sign up for The Register's weekly IT security newsletter - click here
Top stories
Popular Whitepapers
- Thermal design of the Dell PowerEdge T610, R610, and R710 servers
Monolithic thermal design overview - Seven ways to optimize VMware server virtualization
Virtualized storage complimenting virtualized applications - 10 Steps to a Successful CRM Implementation
Avoid a rocky CRM rollout with this checklist - Checklist: Midmarket ERP Solutions
Control your rising business costs - Comparison Guide: IP Phones
Exact details on specific IP Phone features such as function buttons, display resolution, weight and price - Service level monitoring and management
Delivering service excellence across the network
