Twitter is sitting on an amateur configuration blunder that makes it trivial for attackers to take control of user accounts, a researcher said Friday. The error resides in an Adobe Flash object hosted on the microblogging site, said Mike Bailey, a senior security analyst with penetration testing firm Foreground Security. …
NoScript FTW !
Anyone not using it deserves all they get.
And the corrolary...
Anyone using Twitter deserves all that they get.
for not being a twit.
A Minor Point
In this use/meaning, the word is pronounced as 'twat'.
Yes, but in most of the cases you whitelist sites you go most often and then just add new ones as you crawl there. It's not optimal, I agree, but heck, that's how it works.
I'd be happy to see a managed list (something like Adblock subscription list) with whitelisted domains. If somebody's paranoid, they can always disable it and go the old school way.
Believe it or not...
As a side-note I have noticed Google, being the devious b*stards they are, hosting JQuery scripts, which many sites rely on for "glitzy" functionality, from their analytics domain. I'm sure you can see the problem* with that.
* Actually, its not so much of a problem as, for instance, sites that use a Google hosted JQuery "lightbox" scripts often just fallback to opening the image in a new window/tab so you don't actually need to allow Google Analytics for many sites to remain functional... if a little "old-school"! Google are just being evil by trying to "force" people to allow analytics!!
So you can click a link to pwn Twitter once you're logged in to Twitter...
...does this mean you can only remotely pwn your own account, or anybodies account?
So what ?
Since nobody over the age of 8 uses Twitter (except Steven Fry)
This is going to have about the same effect as the security flaws on the Sinclair spectrum that allowed me to write
10 print "Dixons is crap"
20 goto 10
All those years ago
That won't flash, or go diagonally accross the screen will it? I demand you recode that!
Where's your creativity? Where's your seizure-inducing colours? And the all-important line 40 to stop it from halting with the "scroll?" prompt when the screen gets full!
20 LET x = INT(RND * 7) : LET y = INT(RND * 7) : LET z = INT(RND * 7)
30 PAPER x : INK y : BORDER z
40 POKE 23692, 255
50 PRINT "Dixons is crap ";
60 GOTO 20
And they called it a mis-spent youth....
> "This is not Adobe's fault,"
Oh yes it fucking well is. No such thing as crossdomain.xml should even exist in the first place. It is an utterly misbegotten notion that totally fails to close down the fundamental hole that flash opens in the same-origin security model.
Wow! So you can hack a twitter account...
... and then...?
Who gives a fuck?!
Those moaning about Twitter
Go back and re-read the article. It's other websites as well, Twitter was just an example. Although I agree it's an over-hyped service.
Does remind me why I stick with FF despite it being a blundering memory hog these days (3.6 is a minor improvement). Still waiting on noscript-a-like support on other browsers (adblock+ and flashblock would be nice as well, but we can't have everything).
No idea what you're doing differently
but Firefox isn't a memory hog when I use it.
firefox memory hog
Actually the memory issue tends to be related to No-Script - as much as I love the blocking add-on, I do find I purge my whitelist every 12 months or so for a performance boost.
Under vanilla operation FF runs about 20-30 meg,....currently with my NoScript whitelist it runs at 76. (whitelist contains about 280 entries)
Twitter twatter twotter
Please people, it's just more of the same web 2.0 crap.
You can control it on a site by site basis as well.
It's where the Firefox developers get most of their ideas from!
How about making the damn functions visible. People use NoScript since it sits on the bottom showing off its usefulness and being pretty easy to configure
Not with the same ease
I know Opera has the ability to do much of this stuff, but it's not at the same UI level.
In short, I acknowledge Opera has the ability, but it lacks the ease of use in this area.
I do use Opera on occasion, same as I use Chrome and, if forced, IE. I just prefer the security package I currently have set up with FF for most browsing. Personal choice and all that. ;o)
AdBlock: Right click on a page, select 'Block Content'. Click on the things on the page you want to block. Click on 'Done' in the 'Information Bar' at the top of the page.
Personalised Site Preferences: Set your defaults in the options as you normally would, then right click on a page and select 'Edit Site Preferences' to customise for the site you're on.
Personally, I find the Firefox UI to be quite horrible. Opera, admittedly, isn't much better in places, but at least it doesn't make me want to gouge my eyes out every time I see it.
Given that Opera is free again, I really don't know why people still use Firefox. It really is garbage.
"I can think of a million ways to use this as an attacker"
And I've told him a million times not to exaggerate.
Plus he's not an "attacker" and I've told him a gazillion times not to lie :-)
And then the web site still may not work with Opera. I think the main current gap is in support for dynamic thingies of some sort.
But the problem isn't "Opera isn't safe from this".
Even No Script
has it's off days and cannot be relied upon, unfortunately.
I have come across a problem where NoScript installed in Firefox using a strange foriegn language, not English. Consequently, not much can be understood of the message content when it stops a script. Making it absolutely useless on my children's PC.
Er, even the program writer has been unable to fathom out this one. Any takers ?
And as for Firefox, you penguin heads might know why I cannot see the media player controls on my Myspace account. Flash Block isn't stopping the adds from playing, just the control panel ? NoScript would appear
superfluous at this time.
PS I'm using Ubuntu 9.04 and SeaMonkey is very wonkey too. Hence the use of Epiphany and Opera, the only browsers that actually work under my version of Linux. Sheesh !
Just a minor rant
Out of the twenty two replies at the time of writing not one comment has addressed even vaguely the actual content of the article, with the possible exception of the first sentence from Phillip Webster. All I can see is the usual Twitter is crap, Twitter users are twats, they should use adblock plus turbo with go faster stripes type comments. I'm no stranger to asinine comments but once something has been said is there a need to repeat it. Please Ms.Moderator bring back the automatic response option.
I can't contribute anything because I'm not knowledgeable enough but I wish those who are equally less gifted would STFU and let those who are actually say something constructive.
Excuse me while I state the obvious
Since no-one is interested in what anyone says on Twitter, who will read the "I've been pwned" message except other twats - some of whom may have just posted their own similar message...
- Does Apple's iOS 7 make you physically SICK? Try swallowing version 7.1
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- Pics Indestructible Death Stars blow up planets with glowing KILL RAY
- Hands on Satisfy my scroll: El Reg gets claws on Windows 8.1 spring update
- Video Snowden: You can't trust SPOOKS with your DATA