Twitter Exploit Still Works (opens in new tab)

(davidnaylor.co.uk)

63 pointsdredge16y ago21 comments

Twitter XSS exploit from yesterday still works. They haven't done a very good job of fixing it. You only need to see an exploited tweet to be affected!

21 comments

18 comments · 8 top-level

julio_the_squid16y ago· 5 in thread

Seriously, their response was to disable spaces in the form?

There is no legitimate reason for anything other than \w to be in there... how about a real filter? Twitter has been lazy and generally pathetic in just about every area since they began... talk about getting lucky with a good idea.

tdavis16y ago

There is no legitimate reason to not escape the damn output, either. Twitter has officially reached the level of satire, folks.

63 Employees. 55 Million dollars. And twice they fail to accomplish the trivial.

devin16y ago

Well said. I cannot think of a solid reason why this would be a difficult fix. Totally incompetent.

jrockway16y ago

And don't they use Rails, which presumably makes it very easy, if not the default, to escape HTML output?

1 more reply

mattmaroon16y ago

Shocker, the people who can't stop their website from going down all the time aren't very good coders.

kwamenum8616y ago

On the YC submission thread created when this vulnerability was first noticed there were several good solutions suggested for this problem. al3x from Twitter responded to several of the comments and if memory serves he thought several of the solutions would work.

For a halfway decent coder this could be solved in minutes. This has nothing to do with maintaining a huge website as some users have commented. Stuff like this should probably break less when your website is huge.

plainspace16y ago· 2 in thread

does this mean that if I am using tweetdeck on a mac that i am vulnerable?

thamer16y ago

No, the exploit is only for applications capable of interpreting JavaScript, such as web browsers.

blasdel16y ago

Except that there are a lot of RIA twitter clients that render the tweets in a Webkit view.

jdminhbg16y ago· 1 in thread

I generally take the view that people are too hard on Twitter, and that maintaining a gigantic network like this is a lot more difficult than it looks.

This, though, as a 'fix,' is just complete incompetence.

tdavis16y ago

I used to give them the benefit of the doubt on that. I've now changed my view to: it's probably more difficult than it looks, but Twitter makes it look impossible.

jreposa16y ago· 1 in thread

Semi-off-topic, but I found something seriously wrong with Craigslist.

https://post.craigslist.org/manage/1340717167/tkrju#tr231033

That link will allow you to edit that post. You don't even have to be logged in.

I've already alerted them, but let's see how long this lasts.

thomaspaine16y ago

The hashtag isn't necessary, ie https://post.craigslist.org/manage/1340717167/tkrju works too.

Actually, I think craigslist probably views this more as a feature than an exploit. Since you don't need an account to post on craigslist, they can't do normal cookie based authentication, so they just give you a secret url for editing your page. Unfortunately, the only thing secret about the url is a 5 character alpha-numeric string, which I suppose would be possible to brute force.

Titanous16y ago· 1 in thread

If you still want to use the (scary) web interface, there is always NoScript.

kwamenum8616y ago

Twitter should disable everything except registration through the web interface. If it is not a script injection vulnerability, it is a 404 error returned for the CSS file resulting in a linear layout, or the web interface not loading at all. The API on the other hand is usually up (and by extension so are third party apps.) If they focus their attention on supporting the API they could charge app developers a fee, which many would happily pay since they would be the exclusive interfaces used for Twitter (since the web interface would be gone) and they could build ads, charge for app use, and provide customized extended Twitter functionality.

I am completely half serious on this.

lonestar16y ago

To anyone with any level of web security experience, the real fix for this (proper escaping) should be obvious.

For every really trivial vulnerability like this that Twitter can't fix, there must be scores of slightly more subtle vulns that go undisclosed.

Derrek16y ago

Wow... Did some brand new intern get assigned the responsibility to "fix" this?

Like the author said, I think I'll be off Twitter for a little while too.

ulf16y ago

This is unbelievable. Even more so that they would not just disable the displaying of the application until they are sure that thing is fixed. My guess is this was just the beginning of big time spam/phish/... problems for twitter...

j / k navigate · click thread line to collapse

21 comments

18 comments · 8 top-level

julio_the_squid16y ago· 5 in thread

Seriously, their response was to disable spaces in the form?

tdavis16y ago

There is no legitimate reason to not escape the damn output, either. Twitter has officially reached the level of satire, folks.

63 Employees. 55 Million dollars. And twice they fail to accomplish the trivial.

devin16y ago

Well said. I cannot think of a solid reason why this would be a difficult fix. Totally incompetent.

jrockway16y ago

And don't they use Rails, which presumably makes it very easy, if not the default, to escape HTML output?

1 more reply

mattmaroon16y ago

Shocker, the people who can't stop their website from going down all the time aren't very good coders.

kwamenum8616y ago

plainspace16y ago· 2 in thread

does this mean that if I am using tweetdeck on a mac that i am vulnerable?

thamer16y ago

No, the exploit is only for applications capable of interpreting JavaScript, such as web browsers.

blasdel16y ago

Except that there are a lot of RIA twitter clients that render the tweets in a Webkit view.

jdminhbg16y ago· 1 in thread

I generally take the view that people are too hard on Twitter, and that maintaining a gigantic network like this is a lot more difficult than it looks.

This, though, as a 'fix,' is just complete incompetence.

tdavis16y ago

I used to give them the benefit of the doubt on that. I've now changed my view to: it's probably more difficult than it looks, but Twitter makes it look impossible.

jreposa16y ago· 1 in thread

Semi-off-topic, but I found something seriously wrong with Craigslist.

https://post.craigslist.org/manage/1340717167/tkrju#tr231033

That link will allow you to edit that post. You don't even have to be logged in.

I've already alerted them, but let's see how long this lasts.

thomaspaine16y ago

The hashtag isn't necessary, ie https://post.craigslist.org/manage/1340717167/tkrju works too.

Titanous16y ago· 1 in thread

If you still want to use the (scary) web interface, there is always NoScript.

kwamenum8616y ago

I am completely half serious on this.

lonestar16y ago

To anyone with any level of web security experience, the real fix for this (proper escaping) should be obvious.

For every really trivial vulnerability like this that Twitter can't fix, there must be scores of slightly more subtle vulns that go undisclosed.

Derrek16y ago

Wow... Did some brand new intern get assigned the responsibility to "fix" this?

Like the author said, I think I'll be off Twitter for a little while too.

ulf16y ago

j / k navigate · click thread line to collapse