Twitter Closes Hole After Attack Hits Up To 500K Users 135
chicksdaddy writes "Twitter closed an ugly cross site scripting hole in its Web page Tuesday morning, but not until a fast moving attack, including at least two Twitter worms, compromised hundreds of thousands of user accounts. At its height, the attacks were hitting 100 Twitter users each second, putting estimates of the total number of victims at around 500,000 according to researchers at Kaspersky Lab."
Seriously (Score:5, Insightful)
How complicated is it to write somewhat secure software that processes 140 character messages?
Re:Seriously (Score:5, Funny)
How complicated is it to write somewhat secure software that processes 140 character messages?
Yeah, they should shorten it to 70 characters and make it twice as secure.
Re: (Score:2)
But there would be less entropy in 70 character messages. What they need to do is double it to 280, but require every other character to be random. Nobody could hack that!
Re: (Score:2)
After much back and forth, we figured out that they were passing the key in as ASCII bytes of the minimum key length, effectively using a 64-bit key.
Technically they had a 128-bit key (16 x 8-bit ascii characters). Limiting the key selection to ascii characters 0-F just means they had an artificially small key space. This is only a help if the attacker knows what they did, in which case it would significantly speed up a brute force attack. Essentially the same issue with long passwords that are only lower case characters.
Re: (Score:2)
How about allowing for unlimited characters, but store it in a 128-bit MD5 hash? It isn't as secure as SHA-256, but it is close enough for this work.
Re: (Score:1)
Re:Seriously (Score:4, Funny)
Re: (Score:2)
And Twitter pages would be so resource-intensive they'd make Slashdot pages seem to load fast in comparison. Twitter would eventually require a "fast launch" component that pre-loads Twitter code into your RAM on boot.
Re: (Score:2)
"and add features nobody wants" going by the demand for url shortening services, TwitPic, TwitVid, etc, etc. It's obvious there is demand for new features.
Re:Seriously (Score:4, Insightful)
"and add features nobody wants" going by the demand for url shortening services, TwitPic, TwitVid, etc, etc. It's obvious there is demand for new features.
And presumably the top of those features would be "allow messages larger than 140 characters so that we can just post the actual URL".
With a few billion dollars and about 40 years worth of solid development, Twitter might eventually turn into some sort of simple transfer protocol for multipurpose Internet mail...
Re: (Score:3, Insightful)
Alternatively as they're happy to expand the tweet metadata to include Location, Date, Time, Platform and Color-Of-Socks why not add an extra field to contain an optional Link. The link would not be printed onscreen, instead there would just be a Link icon if the tweet contained a link and the 140 characters would then still be free to describe what the link is linking to
Re: (Score:2)
Re: (Score:3, Informative)
Uh, how hard is it NOT to escape your output?
Maybe it's difficult to sanitize all of your input, fine. So simply escape it properly on output.
It's the same thing with SQL injection mitigation: simply use prepared statements and you don't need to worry about the user's input. (Mostly)
Re: (Score:2)
It's nothing like SQL sanitation, unless you are using pre tags. But that doesn't allow embedded links or formatting.
Escaping HTML is very difficult, especially when you massage the output a bit (i.e hash tags and http links). There is also unicode, %20 and & style notation, "double escaping" etc.
Re: (Score:3, Informative)
And it isn't twitter's first security problem.
Re: (Score:2)
Not very difficult, unless of course you put the command and control structure within the same information channel as the content, sans escaping or syntax. Then you have the nasty problem of any particular string of characters being content, instructions, or both.
...did I miss it? (Score:1)
Re: (Score:1)
Re: (Score:1)
http://status.twitter.com/post/1161435117/xss-attack-identified-and-patched
Interesting, yet pointless (Score:5, Interesting)
Really,I know a lot of people seem to be using twitter, but I just don't get it. Am I too old? Hell, I don't actually know anyone using it. At least I don't think I do.
Why are people so interested to read an internet based text message? Is it really better than reading a well thought out and reasoned article about something?
More and more I see on all these tech news sites and blogs that they heard from so and so's tweet that such and such will be released with this and this. Then, all the other news sites link to the first blog who is using twitter as a source of information.
Since when is a text message a reliable source of information?
Re:Interesting, yet pointless (Score:4, Insightful)
Re:Interesting, yet pointless (Score:4, Insightful)
Actually, no, as a means of just sharing links to information it sucks, because you generally can't fit URLs and useful description into 140 characters--so you either have to skip describing the thing you're linking to, or you have to obfuscate the URL through a redirection service.
Facebook, delicious.com, Tumblr etc are much better ways of sharing links to information.
Re: (Score:2)
Plus it allows me to interact, which RSS does not.
Re: (Score:2)
or you have to obfuscate the URL through a redirection service.
I refuse to click on those, too easy to be goatse'd or rickrolled
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:1)
Actually, no, as a means of just sharing links to information it sucks, because you generally can't fit URLs and useful description into 140 characters--so you either have to skip describing the thing you're linking to, or you have to obfuscate the URL through a redirection service.
Oh come on. Twitter clients like Tweetdeck automatically shorten links that you paste into them.
Re:Interesting, yet pointless (Score:4, Informative)
Oh come on. Twitter clients like Tweetdeck automatically shorten links that you paste into them.
Thereby destroying the name-referentiality of the Web, so as soon as one of those URL-shortener services goes out of business, poof, all the links in saved messages evaporate.
Tim Berners-Lee cries!
Re: (Score:2)
Thereby destroying the name-referentiality of the Web, so as soon as one of those URL-shortener services goes out of business, poof, all the links in saved messages evaporate.
If they are worth it then the sites can be found another way.
Re: (Score:2)
Re: (Score:2)
Well duh. Or the web site you link to re-engineers its layout without providing back-compatible redirection...
Anyhow - I store bookmarks in my bookmark collection. Twitter is mostly a way of quickly sharing and discovering ephemeral information, anyways: If I want to keep stuff, I export it from the cloud.
Re: (Score:2)
I'm not completely disagreeing with you, but the fact that the messages just come to my phone, rather than having something I have to go out and seek, is convenient.
Even saying that, I *do* wish I could also/instead have the tweets of each twitter user I follow emailed to me once a day. It'd be even easier to skim that way.
Re: (Score:2)
I treat it more as an RSS feed
So why not use RSS?
Re: (Score:2)
Cause most things these days offer a Twitter feed but not many offer RSS. Plus Twitter is two-way.
I basically just use Twitter as a glorified aggregation service. News headlines from a variety of sites. My ISP's file mirror updates. Updates from bands I follow. Info from online games that I play. Half these organisations don't have RSS feeds, and even if they did, you can't communicate back to them, which is very handy. I even had a issue with my mobile phone provider sorted out via Twitter the other week -
Re: (Score:2)
Seconded, If you try to follow a lot of people on twitter (in an effort to conform to some social rules and not shun people who you like) then it will become useless except as your own broadcast tool. The trick is to follow enough people who tweet at a rate such that the amount of new stuff to read at the frequency you check twitter isn't under, or over-whelming.
There, I made it a maths problem and as such will make slashdotters interested in it.
The good thing about twitter is that you can use it to update
Re: (Score:1, Insightful)
Yet, you read and post Slashdot comments.
Re:Interesting, yet pointless (Score:5, Insightful)
Yet, you read and post Slashdot comments.
It's no fun complaining about something if no one sees or hears you doing it.
I have a theory that this is also why Facebook and Twitter have gained so much popularity. Half the updates I see on either are complaints about work, chores, some person who won't be named but must be publicly called out on some unspecified charge and/or the weather.
Re: (Score:2)
That explains why people post to Twitter. Why do people read it?
Re: (Score:2)
That explains why people post to Twitter. Why do people read it?
People want to feel part of a group that bitches about things they bitch about?
Re: (Score:2)
That explains why people post to Twitter. Why do people read it?
Who says anybody reads it?
Re: (Score:2)
Re: (Score:2)
Sorry..I fail to see how slashdot and twitter are anything alike. Explain please.
Are you saying that I can post a comment on someones twitter account that everyone else can see and then some random douche can make a comment on it? I didn't think twitter was like that at all.
Re:Interesting, yet pointless (Score:5, Informative)
That's not the point. Microblogging isn't blogging. Look, here's some people I follow on twitter
1) Wikleaks - they announce new leaks and news articles about em
2) Bands, e.g. Oceansize tweeted "People of York, be warned we are likely to be opening the doors late. There are fucktonne of problems with this venue.". 65dos also just released a free track!
3) Comedy stuff, e.g. the chilean_miner account: "Another troubled night. Ramon was mining in his sleep again" or Jesus_M_Christ: "Mesus Christ, I got hacked? I knew it was a mistake to mouseover a link on Judas' Twitter page."
4) Friends, who talk about their daily lives (these things interest me)
5) Work collegues, to see what conferences they're at and what they're working on
6) Stuff to do with the societies I'm in at uni, like student robotics organising get-togethers and pub trips.
Try it. Follow your favourite authors, musicians, websites and so forth. It's like a huge aggregated RSS feed with stuff that isn't normally syndicated included.
Re: (Score:3, Funny)
Well, at least shorter crap.
Re: (Score:2)
So twitter is nothing at all?
Re: (Score:2)
I guess I can see your point with the items you listed. They do seem to be valid use cases.
I think perhaps the root of the problem is that I can't think of a single person whom I would want up to the minute updates on.
Still...I can imagine perhaps sporting events or maybe a huge news story while I'm at work or on my mobile and don't have a proper connection handy.
Re: (Score:2)
I can't think of a single person whom I would want up to the minute updates on
Neither can I. That's why I don't follow anybody who tweets their poops.
Re: (Score:1)
http://www.penny-arcade.com/comic/2008/4/23/ [penny-arcade.com]
Re: (Score:1)
Nope. Never seen it. Not surprised it was thought of before though.
Re: (Score:2)
Re: (Score:2)
If this is what all your friends are doing, may I suggest the problem is with them, not the medium?
Re: (Score:2)
Re: (Score:1)
Yup, it's pretty much IRC, except one's future employer has been provided with a better search engine to find out all the inane crap we spouted 20 years from now ;-)
Re: (Score:2, Funny)
Behold, the Twitter dualism:
1. All tweets are mindless drivel about what someone ate, the weather, and other trivialities.
2. Your potential employer will mine this deeply personal information and use it against you.
Re:Interesting, yet pointless (Score:5, Insightful)
No, I don't use Twitter. Yes, I see the point of using Twitter. No, I don't go around telling people how great life is without Twitter.
I'm sure that there are thousands of fantastic services out there, both on the internet and IRL, for which I have no use, and loads of great services for which I can't even envisage a practical use.
Another thing; your own viewpoints aren't the only ones and likely to be incorrect or incomplete when thoroughly scrutinized. Deal with it.
Re: (Score:1)
I spend a lot of time bashing Facebook, Twitter and even the concept of Blogging, is because I'm so god damned tired of everyone talking about it as if it's something new! I mean
Re: (Score:2)
Not pointless as technology, even if mostly filled with useless stuff.
Twitter replaces a bit of email and a bit of irc in a web2.0 fashion. Which is: take internet protocols that mostly worked, enhance their functionality (when possible) and put them in a centralized webapp (the "cloud" has to do with the internals of the app's server infrastructure, so "centralized" is the right term). With all pluses and minuses of a monoculture.
The web2.1 seems to be: instead of webapps sell apps for smartphones instead,
Re:Interesting, yet pointless (Score:4, Funny)
Face the facts. Email is for us old people. Twitter is for, well, twits. But that's OK, the nurses are kinda cute and I like not having to get up early in the morning.
Re: (Score:3, Insightful)
Is it really better than reading a well thought out and reasoned article about something?
I like how you ask this on a site that routinely uses the term "RTFA".
Re: (Score:2)
And to add to that there are many sorted, nested comments that are ranked to enable you to find the most relevant informative posts. Most of which break the 140 character limit.
None of this is available in twitter. It is not at all conducive to informative discourse nor does it
Re: (Score:2)
To be fair, the summary is still more information than a tweet.
To be fair, most people respond to a thread with less than 140 characters worth of unique information in the summary. It's not like we're talking about excerpts that are densely packed. Look at your own post. Here's the pertinent info:
"Summaries and comments have more information than tweets, therefore Twitter is useless".
All the other words were used in an attempt to defend against my inevitable rebuttal.
Re: (Score:2)
Re: (Score:2)
That depends on what the listener of the information you're offering is trying to gain from it.
Re: (Score:3, Insightful)
While Twitter is not Jack Of All Trades as Facebook claims to be for example, it is very useful tool for information freaks. It really is useful IF used properly - or complete waste of time if not. I use it to get info about lot of interesting things which I would miss otherwise. No, I don't use it for 'OMG Radiohead rulles'. I also use it for spreading information which can be interesting for others too.
In fact Twitter IS micro blogging, so in nutshell, it has mostly those same strengths and weaknesses as
Re:Interesting, yet pointless (Score:4, Interesting)
That way, it's hey you're new to the team, subscribe to @MySoccerTeamName and get all the info on when/where our games are, planning for team BBQ's, etc.
Because someone always changes an email, or someone gets all spam-infected and spews to the whole list or whatever and you have bounces, etc.
A twitter feed is just dead simple. It's also nice for quick updates; I couldn't make the game, but the captain tweeted a 5-2 win immediately after, so I got to see it.
It's incredibly nice; no need to visit a webpage or check your email or whatever, it's in a little app that everyone has on their phone or computer or whatever.
Re: (Score:3, Insightful)
Because someone always changes an email, or someone gets all spam-infected and spews to the whole list or whatever and you have bounces, etc.
A twitter feed is just dead simple. It's also nice for quick updates; I couldn't make the game, but the captain tweeted a 5-2 win immediately after, so I got to see it.
It's incredibly nice; no need to visit a webpage or check your email or whatever, it's in a little app that everyone has on their phone or computer or whatever.
All these things are sensible, but I have two major questions:
1. Why isn't something this widely useful (publish/subscribe messaging) a protocol - logically, an SMTP extension - rather than a proprietary web application?
2. Why does it have to be limited to 140 characters? People who want publish/subscribe also want to send arbitrary files to all their friends, not just tiny snippets which can't even store a Web-standard URL. Since most people on mobile devices now use data services, there seems to be no rea
Re: (Score:1)
1. Why isn't something this widely useful (publish/subscribe messaging) a protocol - logically, an SMTP extension - rather than a proprietary web application?
Probably because nobody has made one, or at least not one that was as easily adoptable.
2. Why does it have to be limited to 140 characters? People who want publish/subscribe also want to send arbitrary files to all their friends, not just tiny snippets which can't even store a Web-standard URL. Since most people on mobile devices now use data services,
Re: (Score:2)
Because the folks at Twitter made it, and seem to want it that way. Not ideal, but if it had been launched as a protocol it would be basically impossible to get updates and tweaks happening. There's probably a lot more to this, but basically it boils down to the fact that VC sponsored ideas are not likely to become protocols.
Re: (Score:2)
This seems arbitrary, but it's a key part of why Twitter is good. You can't post long, boring diatribes. You have to be snappy and concise.
Though I agree with you, I always thought the 140 character limit wasn't arbitrary, but a limitation imposed by the fact that many people at the time were getting Twitter updates over SMS.
I know that's why my friends and I originally got onto Twitter. At that time, mobile internet was expensive and web integration in mobile phones wasn't anything to write home about (for example, most phones wouldn't allow a background service checking your twitter feed on the internet).
Nowadays, that's changed. I suspect t
Re: (Score:2)
1. If it were some kind of e-mail extension, spam would be more of a problem. There are three kinds of Twitter messages. The normal "timeline" messages of people you follow, mentions and direct messages. Spammers can't send you direct messages or appear in your timeline unless you follow them (and spamming you would get you to unfollow them quickly). They can still use mentions, but there's a limit to how many people one mention can include and Twitter has added a "Report a Spammer" tool which takes sp
Re: (Score:1)
You overestimate the rate at which people upgrade their phones. You may be rich, but there are plenty of folks out there using 15-year-old nokias.
Re: (Score:2)
SMS is 160 characters because research determined that to be sufficient length for one thought.
Bzzt, wrong. You do get consolation points for the warm and fuzziness of your answer though!
SMS is 160 characters because that's the number of leftover, unused bytes in the packets that your cell phone is constantly exchanging with the cell towers, which also carry info on signal strength and other technical network info the phone and tower use to manage communications. When you send a text, it hitches a ride on one of these packets that was going to be sent anyways, and the carrier makes money. Ka-ching!
Re: (Score:2)
And you can read Twitter messages in an RSS feed format. However, my phone (which isn't a smartphone) can't pull down the latest RSS feed updates via SMS and let me update my RSS feed by sending an SMS message. There are different ways of accomplishing the same thing. Twitter is one way of doing it and it is an easy way for many people.
Re: (Score:2)
"Really,I know a lot of people seem to be using twitter, but I just don't get it. Am I too old?"
I used to think the same thing until I started playing with it. It's all about who you follow. For instance, I follow Weird Al and every couple of days he posts something funny. And it's also how I found out about a Ustream Q&A that he was doing one day. Back in 2008, I was following Leo Laporte, but instead of tech posts, I was getting commentary on the US presidential elections. So I unfollowed him. It's
Re: (Score:2)
Technical truth is I post the update on Facebook and let it forward to Twitter. It automatically applies URL shorteners for me, making things even easier.
Re: (Score:1)
Re: (Score:2)
Do you post stuff yourself, so they get to follow you as well? (It is a serious question, specially since you mentioned that you don't text. I might start doing it as well but I can also text)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
It is the txt generations (Score:2)
See Rudy Park, it the txt generation, which believes that instant information, no matter how shallow, is a good thing and actually faster then the old fashioned slow media... like when an aircraft crashed in Holland, twitterers were very proud that twitter reported it first. Except it didn't. The radio did.
It fits with a generation raised on txt and very short attention spans. For many, this rant is already far to long. And I say generation, but really mean a group because not all young people are twitter
dupe (Score:1, Insightful)
This was covered in the original post this morning. Nothing new in FTA versus the comments in the other one...
Obligatory (Score:4, Funny)
Twitter closes hole after attack hits up to 500 000 of its users, known as twits.
Title should have been: The early bird... (Score:4, Funny)
Twitter has a hole? (Score:2, Troll)
I thought Twitter was between two holes ... ??
http://30.media.tumblr.com/hnBdf3xhZn70lld3VLy3gSBUo1_400.jpg [tumblr.com]
Twit of the year (Score:1, Troll)
.
Re: (Score:2)
cost? (Score:2)
putting estimates of the total number of victims at around 500,000 according
What if each text costs ten cents, thats $50K of revenue for the telcos. Since "everyone knows" the actual cost of service is like a million of a cent per text, thats about $50K profit for the telcos.
noscript (Score:2, Informative)
Why all the hate? (Score:3, Insightful)
I don't like facebook, but I can see its value, particularly if you manage it right and use it to share news and photos with friends and family etc. there are other valuable uses, but I use the example.
I still dont use it.
I don't use bebo, or myspace, or facepalm or crotchpunch.
Doesn't mean I have to hate on them.
I use twitter in much the same way other people have mentioned. I don't follow twitter shitters. (people who tweet constantly about inane shite) But I do follow people who provide interesting information, along with people I know and a range of news sites from aljazeera to bbc, to the NZ news site stuff, to Scientific american, and a range of others!
I follow a range of people, and I Find twitter useful because i can fire up my smartphone, pull up my twitter client and get a "snapshot of the world" and that's really what it is, any big news event happens, anywhere in the world I would probably put money on the fact I'll hear about it before anyone who isn't on twitter and isn't directly affected.
XKCD did a great comic about how people could hear about an earthquake via twitter before the actual shockwaves hit them.
but in short, if you don't want to use twitter, then don't, but all that your raging anti-twitter stance says is "I tried twitter but nobody followed me back"
so obviously you had nothing to add, therefore thank you for not using the service, you've increased its value already!
Re:Why all the hate? (Score:5, Insightful)
BBS, finger, chat, IRC, email, IMs of 90 flavors, pagers, forums, MySpace, texting, LiveJournal, Blogs, Facebook, Twitter, LinkedIN, etc...
I think the Twitter hate is because you are hanging around the demographic that's largely filled its quota for "new shit that I have to keep track of". Add in our games, RSS feeds, slashdot, comics, etc., and we've filled our time on the internet. We either have to start purging old methods of communication and old pastimes, or we can't start new ones.
Right now, there's a large number of us who have thriving communities in enough places that we're not interested in another. It's not just Twitter - that's just the one that we're being pushed the hardest to adopt. And for a lot of us, Twitter doesn't hold a draw. I'm sure you've found some reasons to adopt it. But I don't have time for it. I'm full up.
Yet here you are, blathering on about how you use Twitter for so many things, how useful it is, blah blah blah.
Does it make any more sense now why the Twitter hate? We don't care already. Shut up about it. Some of us aren't about to give up something else for Twitter, and we'd need to in order to pay attention to it.
Our information bandwidth has been exceeded.
The sooner you and everyone else stops rambling on about The Next Big Thing On The Internet, the sooner we'll stop hating it.
(For the record, I came here to find technical details about the XSS, for although I don't care about Twitter, the details are important in the grand context of the internet. I just figured since you hadn't figured it out yet, I'd stop and point out why a lot of us hate Twitter. And your post which had nothing to do with the details of this attack is a prime example. We get it. You want to make passionate love to Twitter and have its babies. Yet you come to an article about a hack job, and instead of posting anything interesting about the technical aspects, you post a totally unrelated bit of flamebait about "Twitter Hate". That's why we hate Twitter. People doing what you just did. So if it bothers you that we hate your exciting new lover, stop posting shit about your love for Twitter when it's entirely inappropriate.)
Re: (Score:2)
Re: (Score:1)
It's the disproportionate, misinformed hype that never seems to go away that makes me want to punch twits in the face.
Re: (Score:1)
I get the impression that the people who love People Magazine and OMG are the same people that think Twitter and F-Book are wonderful.
An XSS attack? Really? In this day and age? (Score:2)
This is an old (for the web) type of attack. No web site should be vulnerable to this sort of thing because all web developers (including me) know to sanitize their inputs. If only in order to avoid a Bobby Tables incident [xkcd.com]
Re: (Score:2)
That's the point!
By my calculations (Score:2, Interesting)
Please explain (Score:2)
So, twitter is a bit like IRC. Is there a web interface to an IRC server that works in a similar way to twitter? It seems a bit silly to re-invent a protocol that's like IRC, but with fewer characters per message.
Re: (Score:1)
As for the Twit-Hate noted earlier, (and in every post on
But something was gained! (Score:5, Funny)
Anything that gets Twitter to shut its damn hole is a good thing IMHO.