The Members Forum

Members Login
Username 
 
Password 
    Remember Me  
Post Info TOPIC: Twitter fixes major scripting vulnerability


Administrator / Manager

Status: Offline
Posts: 2499
Date:
Twitter fixes major scripting vulnerability
Permalink   


The script (for the sake of disclosure as this vulnerability is making the rounds):

http://twitter.com/[yoururl]#@"style="background-color:white;color:white"onmouseover="alert(insert script here)"/

The URL exploited the ability to pass scripting on a mouseover. This vulnerability was due to Twitter's hyperlinking of usernames by passing the script after the @ tag. Twitter identified and patched the issue after several hours on Tuesday.

Thousands of Twitter accounts posted messages exploiting the flaw. Most Twitter users used the flaw for fun and games according to Graham Cluley at Sophos. "Hopefully Twitter will shut down this loophole as soon as possible", Cluley wrote in a blog post describing the vulnerability. The script made the rounds by retweeting automatically without mouseover.

Twitter confirmed it had fixed the flaw after several hours in a company blog post. "We've identified and are patching a XSS attack", the post said. It was later updated to confirm the flaw had been successfully patched.

This isn't the first time that such a large flaw has existed on Twitter's main website. In early May this year, Twitter users were able to force others to follow them with a simple command inside a tweet. Twitter was quick to act over the flaw. The company issued a status message indicating that the bug was remedied and that protected updates did not become public as a result of the "bug". This latest flaw comes a week after the company announced plans for a total overhaul of Twitter.com.

Neowin has the details HERE!



__________________

http://www.mycomputerplayground.com
http://www.digitaldrama.net
http://www.thisrules.net
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.

Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse
Powered by ActiveBoard