Micro-blogging site Twitter suffers from a potentially devastating vulnerability that forces logged-in users to post messages of an attacker's choice simply by clicking on a link. It could be used to spawn a self-replicating worm. The XSS, or cross-site scripting, error was discovered by Secure Sciences Corp researchers Lance …
Why am I not surprised, nor am I getting worked up about it...?
I mean, c'mon, people...after all, what _are_ the first four letters in "Twitter"...?
TinyURL have pulled the link
Surprising really. They didn't nuke the phpinfo() thing for yonks (have they even done it yet?) but they yanked that URL in a matter of hours. Funny, eh?
It's just a XSS issue.
Send an email to email@example.com and move on. I hate white-hat sensationalists.
"Flaw makes Twitter vulnerable to serious viral attack"
Twitter and the like (facebook, myspace, youtube, et alii) ARE serious viral attacks. That's why they are blocked at the boarder routers for all the companies I consult for ...
Surley you know that blocking access to these sites is a breach of employees human rights. Youll be telling me next that you expect them to turn up on time.......
Blocked at the routers? By IP? That's not really going to work if anyone uses a public proxy server, is it?
Viruses are best dealt with by A/V and IDS, not IP blocking. So you block YouTube. Great. What about somerussiansite.ru, which is linked off a Google search?
seen this before?
Brilliant.. I can see the messages now...
I've been biten by a vampire.. http:\\tinyurl.com/biteme
this could be self propegating via followers..
its not the end of the world though...
It's just XSS
Please don't dismiss XSS as a trivial non-event. If you're a bank (are there still any banks?) it's pretty serious. Even if you just require a logon before letting customers download your PDF brochures, you may still be revealing their passwords - and if they use the same passwords for other apps, like 90% of users ...
At the very least you make your organisation look incompetent - the commercial cost of that only you can decide. And where there's an XSS vulnerability, can SQL Injection be far behind?
@DanG: "boarder routers", I think I'll use this alternative spelling from now on.
<insert obligatory "arr-harr, standy by me buckos" comment here>
Noscript, noscript, noscript, noscript
That is all.
Viewing Short Urls
Or you could use a service like Tweetree.com to view your Twitter stream. Tweetree follows through all the short urls and pulls in their final destination and page title so you know what to expect before clicking on it.
@AC 09:43, Chris, David,
AC: You seem to think I'm talking about toy operating systems ... I mean, seriously, A/V software? WTF? My exact methodology is unimportant. It works. Many other sysadmins do similar. Yes, it could loosely be called "IDS". Using proxies to get around the blocks is a firing offense, even though the attempt would probably be unsuccessful. Remember, these are WORK machines, not toys at home.
Chris: It was late. Mea culpa :-)
David: Most people don't understand that company computers belong to the shareholders, not the workers using the machines ...
"A Twitter representative has yet to return our email."
Because email is _so_ Web-1.0
""A Twitter representative has yet to return our email."
Because email is _so_ Web-1.0"
THAT, my friends, is one of the problems with the Web2.0 crowd. They have absolutely no concept of the history & inner workings of teh intratubes. As a hint to the AC, I was sending and receiving "email" back in the late 70s. From home. Long before the Web existed. For our current standard's roots, metacrawler RFC 821, published in 1982.
We had instant messaging in the late '70s, too. metacrawler "talk +UNIX" ... Kids these days!