Twitter flaw creates micro-blogging mayhem
A cross-site scripting flaw on Twitter's website creates a means for posting code into updates, causing chaos across the network today. The vulnerability allow messages to pop-up and third-party websites to open providing surfers move their cursor over a link, earning the flaw the nickname of onMouseOver. Thousands of Twitter …
"or to display spam advertising pop-ups"
It's a good day for Hormel Foods then.
Coat please!
Hilariously, the twerps are just after disabling basic (user/password) access in favour of OAuth.
So in one fell swoop they nobbed simple curl-based command line access, while doing absolutely fuck all to actually increase security since they then (heheheeh) trusted the message content and just served it verbatim on their own site.
#epicfailwhale and #megafacepalm don't really do this one justice.
Again, why the hell do we need all this obnoxious dynamic capability in our browsers? The very concept of MouseOver and MouseClick events has only been used for evil in my experience. The first I saw of this was on eBay where sellers would take over the right click trying to prevent lusers from saving their images. It obviously doesn't work for anyone who knows how to use their PopupMenu key on the keyboard but it annoyed the hell out of me as someone who uses Right click Back to navigate pages. If someone wants to display some popup text the Hint attribute generally works quite well.
You MIGHT argue for some valid use of the click events (expanding tree views and such) but the MouseOvers are inherently wrong. There is an argument that when a user clicks on something they realize there is potential for code execution but simply hovering your mouse should always be safe. I remember teaching people to hover their mouse over links before clicking them to ensure the actual target matched the displayed text (This is key to not getting goatse'd on a lot of message boards).
It would be nice if the browser (or NoScript) provided a way to turn all these various events on/off with some granularity. Better yet just remove them from the browser entirely and force web sites to code their site properly.
So I up-voted you to get you back in the black.
There seems to be rather a lot of this sort of thing lately. What is going on? Trolls? 'Tards? Twunts?
Beer for Eddie. Nils bastardus carborundum.
I guess it'd be nice if everything were laid out in a nice tabular format too, and if CSS didn't make everything so different and hard to read! What's all this user-participation on the web about, while we're at it?
OnMouseOver is a perfectly valid and useful tool. It was dumb of them to leave a hole open, but not for doing hover-based things. Hover-based things can make stuff miles faster. Try using X-mouse for a while, then living without it, and you'll see.
Ever since I found the beauty that is Twidroyd on my Android phone, and Tweetie on my Mac, I've never used twitter.com.
I was even more glad of that when I saw tweets containing raw Javascript in Twidroyd yesterday. How can such a huge, high-profile site make such a school-boy error (not escaping text entered by users before writing it verbatim as HTML?)
Sign up, sign up for The Register's weekly IT security newsletter - click here
