back to article Flaw makes Twitter vulnerable to serious viral attack

Micro-blogging site Twitter suffers from a potentially devastating vulnerability that forces logged-in users to post messages of an attacker's choice simply by clicking on a link. It could be used to spawn a self-replicating worm. The XSS, or cross-site scripting, error was discovered by Secure Sciences Corp researchers Lance …

COMMENTS

This topic is closed for new posts.
Silver badge
Coat

Why am I not surprised, nor am I getting worked up about it...?

I mean, c'mon, people...after all, what _are_ the first four letters in "Twitter"...?

Thankyuh, thankyuhvurymuch.

0
0

TinyURL have pulled the link

Surprising really. They didn't nuke the phpinfo() thing for yonks (have they even done it yet?) but they yanked that URL in a matter of hours. Funny, eh?

0
0
Thumb Down

It's just a XSS issue.

Send an email to security@twitter.com and move on. I hate white-hat sensationalists.

0
0
Silver badge

@Dan G

"Flaw makes Twitter vulnerable to serious viral attack"

Twitter and the like (facebook, myspace, youtube, et alii) ARE serious viral attacks. That's why they are blocked at the boarder routers for all the companies I consult for ...

0
0

@ Jake

Surley you know that blocking access to these sites is a breach of employees human rights. Youll be telling me next that you expect them to turn up on time.......

0
0
IT Angle

@Jake

Blocked at the routers? By IP? That's not really going to work if anyone uses a public proxy server, is it?

Viruses are best dealt with by A/V and IDS, not IP blocking. So you block YouTube. Great. What about somerussiansite.ru, which is linked off a Google search?

0
0
Alien

seen this before?

Brilliant.. I can see the messages now...

I've been biten by a vampire.. http:\\tinyurl.com/biteme

this could be self propegating via followers..

its not the end of the world though...

0
0
Silver badge
Pirate

It's just XSS

Please don't dismiss XSS as a trivial non-event. If you're a bank (are there still any banks?) it's pretty serious. Even if you just require a logon before letting customers download your PDF brochures, you may still be revealing their passwords - and if they use the same passwords for other apps, like 90% of users ...

At the very least you make your organisation look incompetent - the commercial cost of that only you can decide. And where there's an XSS vulnerability, can SQL Injection be far behind?

@DanG: "boarder routers", I think I'll use this alternative spelling from now on.

<insert obligatory "arr-harr, standy by me buckos" comment here>

0
0

Noscript.

Noscript, noscript, noscript, noscript

That is all.

0
0

Viewing Short Urls

Or you could use a service like Tweetree.com to view your Twitter stream. Tweetree follows through all the short urls and pulls in their final destination and page title so you know what to expect before clicking on it.

0
0
Silver badge

@AC 09:43, Chris, David,

AC: You seem to think I'm talking about toy operating systems ... I mean, seriously, A/V software? WTF? My exact methodology is unimportant. It works. Many other sysadmins do similar. Yes, it could loosely be called "IDS". Using proxies to get around the blocks is a firing offense, even though the attempt would probably be unsuccessful. Remember, these are WORK machines, not toys at home.

Chris: It was late. Mea culpa :-)

David: Most people don't understand that company computers belong to the shareholders, not the workers using the machines ...

0
0
Joke

How '1990s'

"A Twitter representative has yet to return our email."

Because email is _so_ Web-1.0

0
0
Silver badge

@AC 19:24

""A Twitter representative has yet to return our email."

Because email is _so_ Web-1.0"

THAT, my friends, is one of the problems with the Web2.0 crowd. They have absolutely no concept of the history & inner workings of teh intratubes. As a hint to the AC, I was sending and receiving "email" back in the late 70s. From home. Long before the Web existed. For our current standard's roots, metacrawler RFC 821, published in 1982.

We had instant messaging in the late '70s, too. metacrawler "talk +UNIX" ... Kids these days!

0
0
This topic is closed for new posts.

Forums