back to article Amateur goof makes Twitter account hijacking a snap

Twitter is sitting on an amateur configuration blunder that makes it trivial for attackers to take control of user accounts, a researcher said Friday. The error resides in an Adobe Flash object hosted on the microblogging site, said Mike Bailey, a senior security analyst with penetration testing firm Foreground Security. …

COMMENTS

This topic is closed for new posts.
Thumb Up

NoScript FTW

NoScript FTW !

--nuff said

5
0

Title

Anyone not using it deserves all they get.

0
0

And the corrolary...

Anyone using Twitter deserves all that they get.

1
1
Thumb Down

Another reason

for not being a twit.

2
1
Silver badge
Headmaster

A Minor Point

In this use/meaning, the word is pronounced as 'twat'.

0
0

NoScript good,....

Not having JavaScript running on sites that require it? Bad. Talk about a long exception list....

1
0

reply?

Yes, but in most of the cases you whitelist sites you go most often and then just add new ones as you crawl there. It's not optimal, I agree, but heck, that's how it works.

I'd be happy to see a managed list (something like Adblock subscription list) with whitelisted domains. If somebody's paranoid, they can always disable it and go the old school way.

1
0

Believe it or not...

...most sites don't require JavaScript to be active for anything other than their OWN domain and/or CDN. The rest is usually just GoogleAds, Google Urchin/Analytics, and other advert serving companies. For instance, for El Reg, I only have register.co.uk allowed and the site remains FULLY functional. Google-Analytics.com, quantserve.com and doubleclick.net are definately not required and actually lead to a better layout of the site (no banners at the top of the page or mid story ads) as text often, if not always, re-flows to occupy the additional white space.

I'm sure we can guess which kind of sites you're visiting if your getting JavaScript served from many different domains... and they're the exact kind of sites that you DON'T want to be allowing to serve you JavaScript from all over the shop!

As a side-note I have noticed Google, being the devious b*stards they are, hosting JQuery scripts, which many sites rely on for "glitzy" functionality, from their analytics domain. I'm sure you can see the problem* with that.

* Actually, its not so much of a problem as, for instance, sites that use a Google hosted JQuery "lightbox" scripts often just fallback to opening the image in a new window/tab so you don't actually need to allow Google Analytics for many sites to remain functional... if a little "old-school"! Google are just being evil by trying to "force" people to allow analytics!!

1
0

This post has been deleted by its author

Silver badge

Twitter hack?

So you can click a link to pwn Twitter once you're logged in to Twitter...

...does this mean you can only remotely pwn your own account, or anybodies account?

0
0
Silver badge
Boffin

So what ?

Since nobody over the age of 8 uses Twitter (except Steven Fry)

This is going to have about the same effect as the security flaws on the Sinclair spectrum that allowed me to write

10 print "Dixons is crap"

20 goto 10

All those years ago

0
0

Flash

That won't flash, or go diagonally accross the screen will it? I demand you recode that!

0
0
Boffin

Come on...

Where's your creativity? Where's your seizure-inducing colours? And the all-important line 40 to stop it from halting with the "scroll?" prompt when the screen gets full!

10 RANDOMIZE

20 LET x = INT(RND * 7) : LET y = INT(RND * 7) : LET z = INT(RND * 7)

30 PAPER x : INK y : BORDER z

40 POKE 23692, 255

50 PRINT "Dixons is crap ";

60 GOTO 20

And they called it a mis-spent youth....

0
0
Thumb Down

> "This is not Adobe's fault,"

Oh yes it fucking well is. No such thing as crossdomain.xml should even exist in the first place. It is an utterly misbegotten notion that totally fails to close down the fundamental hole that flash opens in the same-origin security model.

13
0

This post has been deleted by a moderator

Silver badge
Flame

Wow! So you can hack a twitter account...

... and then...?

Who gives a fuck?!

1
0
Badgers

Those moaning about Twitter

Go back and re-read the article. It's other websites as well, Twitter was just an example. Although I agree it's an over-hyped service.

Does remind me why I stick with FF despite it being a blundering memory hog these days (3.6 is a minor improvement). Still waiting on noscript-a-like support on other browsers (adblock+ and flashblock would be nice as well, but we can't have everything).

0
0
WTF?

No idea what you're doing differently

but Firefox isn't a memory hog when I use it.

0
0

firefox memory hog

Actually the memory issue tends to be related to No-Script - as much as I love the blocking add-on, I do find I purge my whitelist every 12 months or so for a performance boost.

Under vanilla operation FF runs about 20-30 meg,....currently with my NoScript whitelist it runs at 76. (whitelist contains about 280 entries)

0
0
FAIL

Twitter twatter twotter

Please people, it's just more of the same web 2.0 crap.

Walk away.

0
0

@Phillip Webster

Opera has had content blocking (equivalent of ad-block) and the ability to control or disable javascript and plugins for ages.

You can control it on a site by site basis as well.

It's where the Firefox developers get most of their ideas from!

1
1
Bronze badge
Thumb Down

Yeah, but...

How about making the damn functions visible. People use NoScript since it sits on the bottom showing off its usefulness and being pretty easy to configure

0
0

Not with the same ease

I know Opera has the ability to do much of this stuff, but it's not at the same UI level.

For example, everything is disabled with these add-ons on Firefox, I visit a site, I get a few missing items and sometimes some scrambled content from where javascript has been used (usually unnecessarily).

If I then want to enable javascript I have an icon in the bottom-right of the browser window I can click and choose the sites I wish allowed. Usually the site the page is on itself is the most likely to be safe and will fix almost all the issues.

As far as I can tell, to get the same use out of Opera I need to go fiddling through the options to enable things each time I visit a site. I also need to know in advance which sites I need to allow (it's not always obvious where sites are getting their javascript, which is another advantage of noscript).

In short, I acknowledge Opera has the ability, but it lacks the ease of use in this area.

I do use Opera on occasion, same as I use Chrome and, if forced, IE. I just prefer the security package I currently have set up with FF for most browsing. Personal choice and all that. ;o)

1
0
Def
Bronze badge
Go

Opera

AdBlock: Right click on a page, select 'Block Content'. Click on the things on the page you want to block. Click on 'Done' in the 'Information Bar' at the top of the page.

Personalised Site Preferences: Set your defaults in the options as you normally would, then right click on a page and select 'Edit Site Preferences' to customise for the site you're on.

Personally, I find the Firefox UI to be quite horrible. Opera, admittedly, isn't much better in places, but at least it doesn't make me want to gouge my eyes out every time I see it.

Given that Opera is free again, I really don't know why people still use Firefox. It really is garbage.

0
0
Bronze badge
Joke

Hyperbolic reaction

"I can think of a million ways to use this as an attacker"

And I've told him a million times not to exaggerate.

Plus he's not an "attacker" and I've told him a gazillion times not to lie :-)

0
0

With Opera you only start having a problem when you enable JavaScript.

But I agree, it is quite fiddly to enable Javascript for a site in Opera, then it takes a while to process the new instruction - that may be because I have about 100 web pages open, perhaps it goes through them all evaluating my new preferences.

And then the web site still may not work with Opera. I think the main current gap is in support for dynamic thingies of some sort.

But the problem isn't "Opera isn't safe from this".

Then again, I think you also have to decide to disable Javascript in the first place...

0
0
FAIL

Even No Script

has it's off days and cannot be relied upon, unfortunately.

I have come across a problem where NoScript installed in Firefox using a strange foriegn language, not English. Consequently, not much can be understood of the message content when it stops a script. Making it absolutely useless on my children's PC.

Er, even the program writer has been unable to fathom out this one. Any takers ?

And as for Firefox, you penguin heads might know why I cannot see the media player controls on my Myspace account. Flash Block isn't stopping the adds from playing, just the control panel ? NoScript would appear

superfluous at this time.

PS I'm using Ubuntu 9.04 and SeaMonkey is very wonkey too. Hence the use of Epiphany and Opera, the only browsers that actually work under my version of Linux. Sheesh !

ALF

0
1
Silver badge

Just a minor rant

Out of the twenty two replies at the time of writing not one comment has addressed even vaguely the actual content of the article, with the possible exception of the first sentence from Phillip Webster. All I can see is the usual Twitter is crap, Twitter users are twats, they should use adblock plus turbo with go faster stripes type comments. I'm no stranger to asinine comments but once something has been said is there a need to repeat it. Please Ms.Moderator bring back the automatic response option.

I can't contribute anything because I'm not knowledgeable enough but I wish those who are equally less gifted would STFU and let those who are actually say something constructive.

3
0
FAIL

Excuse me while I state the obvious

Since no-one is interested in what anyone says on Twitter, who will read the "I've been pwned" message except other twats - some of whom may have just posted their own similar message...

0
0
This topic is closed for new posts.

Forums