Twitter Suffers Web Interface Exploit 165
HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."
Or mobile (Score:4, Informative)
If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/ [twitter.com]
Hosts file (Score:3, Informative)
Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
Although the web interface is still broke. (The interface goes grey, and
any click still tries to go to the t.co web page)
Add this to your Hosts file:
0.0.0.0 t.co
Re:Hosts file (Score:3, Informative)
That's not a great solution: because Twitter shortens lots of links through t.co - meaning you'll click on links on Twitter and go to 0.0.0.0
The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ [twitter.com] ) until Twitter fixes the exploit.
Re:Hosts file (Score:2, Informative)
But as soon as they fix it, remove it from your hosts. t.co is Twitter's official shortener, so there will be more and more legit links using it.
Additional details from Netcraft, Sophos (Score:4, Informative)
Alternative social media (Score:0, Informative)
Or you could just move to a sane and open alternative, like any of the sites built on status.net, such as http://www.identi.ca
Or even roll your own.
Now FIXED (Score:4, Informative)
It is now FIXED.
http://twitter.com/delbius/status/25120366027 [twitter.com]
Re:Hosts file (Score:3, Informative)
http://status.twitter.com/post/1161435117/xss-attack-identified-and-patched [twitter.com]
Re:Obligatory xkcd (Score:2, Informative)
the issue was with sanitizing database OUTPUT.
little bobby tables wouldn't even allow such a trivially basic error like this to make it's way onto production servers.
Re:Well (Score:3, Informative)
mocking illiterate editors is too easy (Score:3, Informative)
This could easily be muted into a more sinister attack.
mute |myot|
verb [ trans. ]
1 (often be muted) deaden, muffle, or soften the sound of : her footsteps were muted by the thick carpet.
muffle the sound of (a musical instrument), esp. by the use of a mute.
figurative reduce the strength or intensity of : his professional contentment was muted by personal sadness.
2 turn off (the sound on a television, telephone, or other appliance) by activating the mute : he turns the set on, mutes the sound, but flicks through the channels.
mutate |myott|
verb
change or cause to change in form or nature : [ intrans. ] technology continues to mutate at an alarming rate | [ trans. ] the quick-dry solution really worked, even if it did mutate the skin on her fingers to reptilian scales.
Biology (with reference to a cell, DNA molecule, etc.) undergo or cause to undergo change in a gene or genes : [ intrans. ] the virus is able to mutate into new forms that are immune to the vaccine | [ trans. ] certain nucleotides were mutated.
Re:First Post (Score:3, Informative)
Easy. The "innerHTML" bit of the code gets the entire contents of the current element, and the rest of the code puts it into the input box and submits it. It's not "cheating" in any sense of the word. You might be having a hard time parsing the code because it's not exactly pure JavaScript - it's using jQuery.