back to article IE 'Twitter rolling' attack trivial to launch

An information disclosure threat in Microsoft's Internet Explorer affects all supported versions of the browser and, among other things, makes it trivial for attackers to force victims to post attacker-dictated messages on Twitter, a security researcher said this week. The “Twitter-rolling” attack, which was first described …

COMMENTS

This topic is closed for new posts.
  1. Tom 35

    Fix IE

    "it seems easier to make a single change in the IE code base than to expect an untold number of webmasters to revise their sites"

    Fixing the sites will only work for the ones who expose the "feature" in error. It's not going to help with sites (or hacked sites) that do it deliberately. The only answer is to fix IE.

  2. Wibble

    Nein, nein, nein

    If IE Nein doesn't suffer from this vuln, then at least they've finally written some new code.

    I expect it's related to the scripting built into CSS that's proprietary to IE. If it's quirks mode then IE Nein will also suffer as it ships with no fewer than four parsing engines for backwards incompatibility with their browsers formerly known as "great" or "best ever", but now on the scrap-heap.

    This can be blamed on Ballmer too

  3. TerryAcky

    [There are some problems with your post]

    “The primary responsibility has got to fall on the developer who is taking untrusted data and putting it is a CSS context within an HTML page,” he told The Reg. “If you don't escape properly, you're going to have XSS every time. Until developers get that through their head, we're going to have to live with lots of XSS holes.”

    Here, here that man!

    In this instance I see no reason why IE should not be 'fixed'. However, if it's XXS, then the so-called developers should learn to code responsibly. If any developer blindly allows attackers to inject code - either through lazyness or ineptitude - they deserve what they get... Hopefully a job collecting and emptying wheelie bins.

    All the same, it won't hurt Microsoft to issue an update to resolve their end. (At least then 'developers' delivering unfit code may start to assume responsibility for their mistakes. Then again, probably not).

  4. Anonymous Coward
    Thumb Down

    this is still XSS. Don't blame the browser

    No offence but this is still a XSS vulnerability. Learn to validate inputs guys! Just because it's supposed to be CSS doesn't mean you should validate it!!!

  5. Andy Shaw
    Stop

    Jeff Williams wrong?

    Granted I'm currently a dilettante in this field, but if I'm reading the blog entry you linked correctly, Mr. Williams is wrong. No javascript is being injected into Twitter, and whilst a small portion of text that looks like CSS is 'injected' (which is to say posted perfectly normally), escaping everything that looks like it might be CSS is going to be pretty hard and probably have some false positives - if it's not outright impossible. Notwithstanding, of course, that when viewed by itself in a browser it's utterly harmless. The posted text isn't in a "CSS context" as Mr. Williams put it until an attacker uses the twitter page as a stylesheet for his attack page. And the CSS doesn't have any javascript in it then, either.

    The issue is that IE - when told that the twitter page in question is a CSS file - tries to parse the page, and despite any number of issues that should prevent it from doing so, sticks pretty much the entire thing into an easily-accessible CSS property. That property can then be parsed by javascript on the attacker's site.That's pretty clearly an IE bug to me.

    Perhaps Mr. Williams should have examined the sample exploit more carefully before commenting?

  6. Destroy All Monsters Silver badge
    Coffee/keyboard

    Awesome quote

    "Until developers get that through their head, we're going to have to live with lots of XSS holes."

    This shall be saved for ..err ... posterity.

  7. Joe Montana
    FAIL

    IE flaws

    There are more flaws like this, and they all boil down to IE not following standards where other browsers do...

    For instance, if the server returns a content type of text/plain but the text contains HTML tags, most browsers will display it as plain text.. IE will ignore the content-type and try to render the HTML.

    For any other browser, setting the content-type to text/plain is enough to eliminate any XSS vulnerabilities since the browser will make no effort to parse anything.

  8. Winkypop Silver badge
    Joke

    IE flawed?

    Who knew?

  9. Colin Millar
    Badgers

    IE doesn't enforce content-type shocker

    This is news?

    I thought it was common knowledge to everyone since ever.

    Relying on http headers for your security!!! Yeah - that's a good idea.

This topic is closed for new posts.

Other stories you might like