×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Twitter Suffers Web Interface Exploit

CmdrTaco posted more than 3 years ago | from the they-meant-to-tweet-that dept.

Security 165

HaloZero writes "We're seeing lots of re-tweets on Twitter.com right now, all containing a fragment of JavaScript, which re-tweets itself when moused-over on the Twitter web interface. This could easily be muted into a more sinister attack, so it is recommended that you use a third party client application, or refrain from social media altogether until the problem is resolved."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

165 comments

First Post (5, Funny)

Anonymous Coward | more than 3 years ago | (#33648718)

http://t.co/@ [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/

Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Re:First Post (5, Funny)

blai (1380673) | more than 3 years ago | (#33648776)

RT @Anonymous\ Coward http://t.co/@ [t.co] [t.co]"onmouseover="document.getElementById('status').value='RT test_nau';$('.status-update-form').submit();"style="background:red"/ Before you mod me down, please consider the fact that I have a sense of humour plus I posted using "Plain Old Text" plus the script does not work on Slashdot.

Re:First Post (-1, Offtopic)

Ractive (679038) | more than 3 years ago | (#33648790)

Since you're posting anonymously what the hell does it matter if you are modded down?
I'm the one who should be worried to respond to your post

Re:First Post (1)

somersault (912633) | more than 3 years ago | (#33649258)

It's all a ruse. If someone tries to mod him down, he shall become more powerful than we could possibly imagine. Or at least, the script will start working :0

Re:First Post (1)

rickb928 (945187) | more than 3 years ago | (#33649594)

Naw. ACs have a short lifespan. They were made [wikipedia.org] that way. We need not concern ourselves with them unless they become dangerous.

What dangerous is should be obvious.

Well (1)

The MAZZTer (911996) | more than 3 years ago | (#33648728)

I'm sure glad all the tweets about this have the #mouseover hash tag so I can click on it in my client to open the twitter.com web interface and read about how I shouldn't use the twitter.com web interface.

Re:Well (1)

The MAZZTer (911996) | more than 3 years ago | (#33648764)

Looks like any JS event for anchor tags can be used (I just made one using the sample seen in the article for an onclick handler that returns false).

Re:Well (2, Informative)

The MAZZTer (911996) | more than 3 years ago | (#33649174)

Oh fun, the Chromed Bird extension for Chrome will happily inject onmouseover events into its popup HTML too. Good thing extensions are sandboxed.

Or mobile (3, Informative)

bbtom (581232) | more than 3 years ago | (#33648730)

If you want to use the web interface, the mobile version isn't affected: http://m.twitter.com/ [twitter.com]

Re:Or mobile (0)

Anonymous Coward | more than 3 years ago | (#33648928)

But I don't use twitter at all, how does that help me you insensitive clod!?

Re:Or mobile (4, Funny)

bbtom (581232) | more than 3 years ago | (#33649150)

The conditional word "if" was included for your convenience.

Re:Or mobile (2, Funny)

JustOK (667959) | more than 3 years ago | (#33649682)

So, if he doesn't want to use the web interface, then is the mobile version affected or not?

Re:Or mobile (2, Funny)

Bonewalker (631203) | more than 3 years ago | (#33650006)

If a social media hub is infected with a virus and no one is around to mouse-over it, would it still make Slashdot's front page?

Hmm (4, Insightful)

grub (11606) | more than 3 years ago | (#33648738)


Why, again, should I be using Twitter?

Re:Hmm (4, Funny)

MrHanky (141717) | more than 3 years ago | (#33648778)

It's the best, perhaps only way to automatically retweet. That's a fairly unique service.

Re:Hmm (1)

somersault (912633) | more than 3 years ago | (#33649294)

Can't really tell if that's a joke about the article, or whether that's actually meant to mean something useful. Doesn't really help answer his question either way..

Re:Hmm (1)

Pojut (1027544) | more than 3 years ago | (#33648844)

I use it to keep up to date on writers, scientists, actors, game developers, etc. As a communication tool amongst people I know "in person", I see no use for it. As a tool for staying up to date with various personalities in the geek, gaming, movie, and scientific communities, it's perfect.

Re:Hmm (1)

grub (11606) | more than 3 years ago | (#33649028)

Yes, for that I agree, should have clarified and meant as a 'tweeter'.

Still think I nailed it when I wrote "Twitter: the UDP of human conversation. -me" [slashdot.org]

Re:Hmm (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33649264)

And I think your comparison isn't nearly as clever as you think it is. Kind of like I thought the last 50 times you posted it.

Re:Hmm (1, Insightful)

kisrael (134664) | more than 3 years ago | (#33649114)

I can't tell you why you should be using Twitter, but some of us have friends or know of folks online who are good at dropping the pithy bon mot, or find it a convenient way to announce things.

Why again should you be using email? Or SMS txt'ing? Or slashdot?

Re:Hmm (1)

NotBorg (829820) | more than 3 years ago | (#33649668)

Email? Meh, old news. Texting? Meh, newfangled. Slashdot? Ah Slashdot: You will never find a more wretched hive of scum and villainy. We must be cautious.

Re:Hmm (1)

AbRASiON (589899) | more than 3 years ago | (#33649386)

I have mod points, so it's really hard to decide if I should reply or just send your obvious bait into oblivion.
Instead I'll bite though.

I hated twitter when I first heard about it, I didn't 'get' it. Now, having used it - it's the most powerful communications tool I've ever seen, period.
It's a perfect replacement to SMS, I can see if events are occuring internationally almost instantly, I can broadcast things to all or keep them private. It's an incredible tool for sharing information and frankly should be the end of SMS, period.

Once you realise you can respond to some very interesting people at the click of a button you'll possibly appreciate it.

Re:Hmm (1)

Bill, Shooter of Bul (629286) | more than 3 years ago | (#33649468)

judging by the media, I'd say you're supposed to use twitter if you're ever in jail/kidnapped in a third world country. Then you'll be set free by a flashmob of justin berbers, only to discover you've just been punk'd.

Re:Hmm (0)

Anonymous Coward | more than 3 years ago | (#33650076)

Why, again, should I be using Twitter?

The more fundamental question is "why, again, should I be allowing Javascript?"

Again? (4, Insightful)

Dragoniz3r (992309) | more than 3 years ago | (#33648748)

You'd think people would've learned by now that you can't allow random strings of script in user-submitted data. Why is filtering this stuff out not part of standard input sanitization practices by now?

Re:Again? (1)

NevarMore (248971) | more than 3 years ago | (#33648806)

What if its a tweet about programming in JavaScript?

Re:Again? (1)

Dragoniz3r (992309) | more than 3 years ago | (#33648826)

Then you escape it so it displays, instead of executing... seriously... same way you handle < and > and all the other naughty characters

Re:Again? (0)

Anonymous Coward | more than 3 years ago | (#33649204)

Why not allow random strings of script in user-submitted data, and have the server escape it instead of forcing the user to do it?

Re:Again? (1)

martas (1439879) | more than 3 years ago | (#33648832)

then force people to use escaped sequences. i.e. only display "computer.fuckUp()" at the very last step, in the ui. everywhere else it should be "computer\.fuckUp\(\)". [note: toy example. not actually claiming that '.' and parens should be escaped...]

Re:Again? (1)

Jason Levine (196982) | more than 3 years ago | (#33649008)

Easy. If they escaped double-quotes (") to &quote; then this wouldn't happen because the code wouldn't be able to escape the href section of the link.

Re:Again? (1)

Deag (250823) | more than 3 years ago | (#33648846)

I think it is half solutions that are the problem. Allowing any sort of tags allows for adding script to various events and the like and even stripping them is quite difficult.
You either need to use a library that is proven to do this or escape all html.

Re:Again? (0)

Anonymous Coward | more than 3 years ago | (#33649188)

Yes... quite difficult...~

For your average run-of-the-mill take-your-pick-from-a-grab-bag-of-middle-eastern-countries CS / CE student who cheated (erm, collaborated) his/her way through all the required programming courses... quite difficult indeed.

Re:Again? (1)

somersault (912633) | more than 3 years ago | (#33649436)

or the server could just convert < and > to &lt; and &gt; when it received a tweet, wouldn't that work to "escape all HTML"?

Re:Again? (1)

Deag (250823) | more than 3 years ago | (#33649842)

That is one way of doing it, but if you have a requirement for rich text for example it complicates things. And the more control you are handing over to the user the more difficult it is to stop javascript sneaking in somewhere.

Re:Again? (1)

iLogiK (878892) | more than 3 years ago | (#33649118)

From I could tell, the string looks something like this: http://example.com/#@ [example.com]"onmouseover=">"

my guess is this is come bug related to how they handle hashtags/user profile links

I think they're regularly running a script that takes out the # from the link from old tweets

Re:Again? (0, Redundant)

Kristopeit,MichaelDa (1905518) | more than 3 years ago | (#33649202)

because the raw input should be stored in case additional sanitation processing is required in the future. re-sanitizing might not be feasible as new special characters were introduced to replace old.

this is about sanitizing OUTPUT... there is probably someone in the company like you that handles output sanitation by completely ignoring it and doing all sanitation on the input side... then they are switched to a different team or a new feature is thrown in the mix that doesn't comply with the standards used in different teams... boom. billion dollar company looks like chumps. children playing on daddy's computer. certainly not to be trusted.

Re:Again? (0)

Anonymous Coward | more than 3 years ago | (#33649266)

That probably sounded wonderful in your head, but it looks retarded in black and white. Sanitizing inputs vs. outputs has no significant difference when it comes to the results. It's not even like the core HTML/JavaScript syntax has changed tremendously since it was ever first invented...

Re:Again? (0, Flamebait)

Kristopeit,MichaelDa (1905518) | more than 3 years ago | (#33649414)

yes, but NEW SERVICES UTILIZING "core HTML/JavaScript" have their own syntax and internal interfaces... such as the t.co service EXPLOITED IN THIS CASE.

you are so dumb.

emphasizing sanitizing output allows you to keep the users originally provided input for reference. if you've never needed such a reference i'd argue you probably don't do this for a living.

Hosts file (3, Informative)

MidnightPsycho (827920) | more than 3 years ago | (#33648758)

Add "t.co" to your Windows Hosts file - this will stop the jibberish text.
Although the web interface is still broke. (The interface goes grey, and
any click still tries to go to the t.co web page)

Add this to your Hosts file:

0.0.0.0 t.co

Re:Hosts file (2, Informative)

bbtom (581232) | more than 3 years ago | (#33648782)

That's not a great solution: because Twitter shortens lots of links through t.co - meaning you'll click on links on Twitter and go to 0.0.0.0

The actual solution: use a native client or the mobile web version ( http://m.twitter.com/ [twitter.com] ) until Twitter fixes the exploit.

Re:Hosts file (1)

The MAZZTer (911996) | more than 3 years ago | (#33648874)

Using NoScript or Google Chrome's Content Settings to block JavaScript on twitter.com is also an option, maybe. Not sure how well twitter.com works that way but onmouseover handlers won't run and AJAX won't work so this exploit is useless then.

Re:Hosts file (3, Insightful)

L4t3r4lu5 (1216702) | more than 3 years ago | (#33648980)

Or don't use Twitter. Seriously.

Except for this thoroughly informative sentence, including the punctuation, nothing of any real import can be expressed in 140 characters...

Re:Hosts file (1)

Jedi Alec (258881) | more than 3 years ago | (#33649066)

Actually, I'm having a lot of fun distilling what I want to say down to its bare essence in order to fit the 140 char space.

Then again, I mostly use twitter to see my elected officials make fun of each other(and egg 'm on a bit at times).

Re:Hosts file (0)

Anonymous Coward | more than 3 years ago | (#33649130)

Unless you run a botnet

Re:Hosts file (3, Funny)

Thanshin (1188877) | more than 3 years ago | (#33649242)

nothing of any real import can be expressed in 140 characters...

"The bag is in locker #437. You'll find your fee and the target's dossier inside."
"The guy I was having fun with is dead in your kitchen and cops are coming. XOXOXO"
"Cut the red wire."
"Salutations earthlings. We come in peace."

Never used Twitter but 140 seems to be a lot. Maybe you're a bit too wordy.

"Dear Mr.Assassin. I've left the money, in $20 bills, inside big a black leather bag. The target data will be inside the bag that you'll find in locker #"

Re:Hosts file (2, Informative)

Anonymous Coward | more than 3 years ago | (#33648786)

But as soon as they fix it, remove it from your hosts. t.co is Twitter's official shortener, so there will be more and more legit links using it.

Re:Hosts file (1)

The MAZZTer (911996) | more than 3 years ago | (#33648982)

That won't do anything. t.co is only used in order to trick twitter into creating an anchor tag, to which the onmouseover handler can be attached. Since you're on twitter.com the only place an AJAX call can be sent to retweet is... twitter.com. example.com can be used instead of t.co and the exploit would still work the same.

You mean... (-1, Offtopic)

Bandman (86149) | more than 3 years ago | (#33648770)

there are people who aren't using hootsuite [hootsuite.com]?

Re:You mean... (1)

bbtom (581232) | more than 3 years ago | (#33648820)

Yes, there are people who aren't total social media douchebags who use Twitter.

HootSuite uses ow.ly which for quite a long time wrapped links in a stupid 'social toolbar', a sort of crap Twitter version of the DiggBar. Horrible. If I go to someone's Twitter profile and see that they have mostly been posting from HootSuite, I conclude the same thing as when I see they use Outlook for their e-mail.

Re:You mean... (0)

Anonymous Coward | more than 3 years ago | (#33648964)

If I go to someone's Twitter profile and see that they have mostly been posting from HootSuite, I conclude the same thing as when I see they use Outlook for their e-mail.

That they're at work?

Obligatory xkcd (3, Funny)

labcoatless (1902340) | more than 3 years ago | (#33648794)

Re:Obligatory xkcd (2, Informative)

Kristopeit,MichaelDa (1905518) | more than 3 years ago | (#33649102)

obligatory you're an idiot...

the issue was with sanitizing database OUTPUT.

little bobby tables wouldn't even allow such a trivially basic error like this to make it's way onto production servers.

Re:Obligatory xkcd (1)

ledow (319597) | more than 3 years ago | (#33649338)

Whichever way you look at it (input or output) no damn javascript should EVER make it into a tweet. Nobody but Twitter knows if that's because the tweet-input routines didn't filter it effectively, or because the tweet display routines allow you to see the javascript as actual markup instead of sanitised plain-text.

Either way, allowing JS scripts, HTML tags or anything NOT TEXT into a tweet means you didn't attend your first grade computer security courses. This isn't some massively complex hack - somehow javascript was not stripped or escaped adequately, allowing a single piece of it on the site to constantly be executed automatically by all users, and whose input was then accepted time and time again as a valid tweet without escaping it properly.

Someone should REALLY be fired. In fact, several people, because on a site that size there should damn-well be several programmers and several people running tests and checking for such things.

Re:Obligatory xkcd (1)

Kristopeit,MichaelDa (1905518) | more than 3 years ago | (#33649452)

it's such an obvious misstep, i have to believe it was intentional to make all their twits feel relieved that "the good folks at twitter fixed the virus"... they'll never know it was the incompetence of those same folks that the exploit existed in the first place

Re:Obligatory xkcd (1)

somersault (912633) | more than 3 years ago | (#33649556)

Completely random aside, but in English even though you use 's to signify possession for nouns, instead of "it's", you actually write it "its".

Happy to help you sanitise your output ;)

Re:Obligatory xkcd (0)

Anonymous Coward | more than 3 years ago | (#33650070)

and you are a humourless git.

Additional details from Netcraft, Sophos (3, Informative)

1sockchuck (826398) | more than 3 years ago | (#33648808)

There's more info on the spread of this exploit from Paul Mutton at Netcraft [netcraft.com] and Graham Cluely at Sophos [sophos.com].

Easy solution (0)

Anonymous Coward | more than 3 years ago | (#33648838)

Disable javascript. If something as simple as twitter requires javascript be enabled on the client, the company deserve all the resulting security problems!

Re:Easy solution (3, Funny)

Dragoniz3r (992309) | more than 3 years ago | (#33649120)

I'm sorry, but 1994 called, and it wants its World Wide Web back. Interactive webpages are the future, they are actually really nice when they're done properly, and denying that is just holding you back. I expect that sooner or later secure programming mentalities will become deeply ingrained in Web programming, and things like this will stop happening. There will always be bugs, but that's no different from any other software.

NoScript is a much better solution than out-and-out disabling javascript anyways.

Re:Easy solution (5, Insightful)

Culture20 (968837) | more than 3 years ago | (#33649680)

1994 called, and it wants its World Wide Web back.

I called, and I want 1994's WWW back. No more "My entire website is in Flash!" No more drive-by downloads. No more web-apps that just write a static page when HTML would have sufficed. <blink>Just "Here's my Dog!" and "Work in Progress" signs.</blink>

Alternative social media (0, Informative)

Anonymous Coward | more than 3 years ago | (#33648894)

Or you could just move to a sane and open alternative, like any of the sites built on status.net, such as http://www.identi.ca

Or even roll your own.

Oh really? Refrain from what? (0, Flamebait)

mr_mischief (456295) | more than 3 years ago | (#33648908)

refrain from social media altogether until the problem is resolved

Sorry, I didn't realize Twatter was "social media altogether". Sorry, Slashdot, you just admitted on your front page you are irrelevant. Only Twitter counts.

Also saw (2, Interesting)

asdfington (1877976) | more than 3 years ago | (#33649026)

http://a.no/@ [a.no]"onmouseover=";$('textarea:first.val(this.innerHTML);$.('status-update-form.submit();"class="modal-overlay"/ which puts an overlay on the whole site, causing any mouseover to retweet. Personally I think this is pretty hilarious. If you mouse around a bunch you get something like this: http://i.imgur.com/qTPeK.png [imgur.com] Yes I know you can see my acct. in the bg, I don't care; if it were private, why would I put it on twitter?

Now FIXED (3, Informative)

bbtom (581232) | more than 3 years ago | (#33649074)

Re:Now FIXED (0)

Anonymous Coward | more than 3 years ago | (#33649828)

Oh thank goodness. Now back to my social life.

Re:Now FIXED (1)

mybecq (131456) | more than 3 years ago | (#33650048)

The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.

about 1 hour ago via web
Retweeted by 100+ people

So, they tweeted that they had fixed a bug preventing unintended retweeting, and 100+ people have retweeted it?

pure shame. (1)

Kristopeit,MichaelDa (1905518) | more than 3 years ago | (#33649076)

a web application allowing users to output html that can alter layout, or javascript that can be executed is such a giant fail, that twitter should seriously consider firing the highest members of it's management staff responsible for code architecture review.

as is always the case, they'll claim it passed regression testing, so there was nothing they could do... but the simple fact is they failed at creating viable regression tests.

this is kindergarten CS stuff... these are the developers the big name outfits are hiring? do they work in the US? did anyone check their resumes?

this is pathetic

Refrain from using the internet (1)

faulteh (1869228) | more than 3 years ago | (#33649084)

until they fix twitter.

EVERYONE! Grab a shovel.. dig a hole in the sand and instruct the person next to you to put their head in the hole, now bury their heads in the sand. Everyone do the same! Wait... one person will have to be left behind.

This is a well orchestrated attack by twitter to highlight the need to move to their own in-house url shortener t.co instead of all those other pesky untrustworthy other url shorteners. However, on a funny note it's amazing how people will, nay, must click things, especially since it's been shortened into something meaningless. No way those links could be suspect, someone tweeted that... to me! it's ok, i'll just move my mouse over here... and exert some pressure on the left mouse button... oh cr*p what have i done? LOLCATS!

Keep the fear alive!

muted into a more sinister attack? (1)

Attila Dimedici (1036002) | more than 3 years ago | (#33649092)

I'm confused as to how reducing the intensity of this exploit would make it more sinister. If anybody can give me an idea of how that would work, I would appreciate it.
Now on the other hand if this attack were to mutate I could see it easily becoming something that might be very disruptive for twits (those who use Twitter).

Re:muted into a more sinister attack? (1)

nwmann (946016) | more than 3 years ago | (#33649298)

perhaps they mean making it less noticed and more destructive. therefore quiet or muted to us all the while racking up the damage.

TLDR (1)

vlm (69642) | more than 3 years ago | (#33649322)

If that was TLDR, heres my summary:

"... it is recommended that you ... refrain from social media altogether ..."

Works for me!

"why not avoid all social sites until" .....? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33649346)

or, why not stop communicating altogether for a while,..., at least. just admire the ?'weather'?. just like we dreamed of?

there certainly is plenty going on for US to fail to communicate about?;
http://www.google.com/search?hl=en&source=hp&q=weather+manipulation

http://www.google.com/search?hl=en&source=hp&q=cheney+bush+wolfowitz+wmd+blair+weather+obama+authors+vaccine

meanwhile (there'll still be ?something? (prescription sex?) on tv. & buystuffyoudontneed.con etc...); the corepirate nazi illuminati is always hunting that patch of red on almost everyones' neck. if they cannot find yours (greed, fear ego etc...) then you can go starve. that's their (slippery/slimy) 'platform' now. see also: http://en.wikipedia.org/wiki/Antisocial_personality_disorder

never a better time to consult with/trust in our creators. the lights are coming up rapidly all over now. see you there?

greed, fear & ego (in any order) are unprecedented evile's primary weapons. those, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' life0cidal hired goons' agenda. most of our dwindling resources are being squandered on the 'wars', & continuation of the billionerrors stock markup FraUD/pyramid schemes. nobody ever mentions the real long term costs of those debacles in both life & any notion of prosperity for us, or our children. not to mention the abuse of the consciences of those of us who still have one, & the terminal damage to our atmosphere (see also: manufactured 'weather', hot etc...). see you on the other side of it? the lights are coming up all over now. the fairytail is winding down now. let your conscience be your guide. you can be more helpful than you might have imagined. we now have some choices. meanwhile; don't forget to get a little more oxygen on your brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

"The current rate of extinction is around 10 to 100 times the usual background level, and has been elevated above the background level since the Pleistocene. The current extinction rate is more rapid than in any other extinction event in earth history, and 50% of species could be extinct by the end of this century. While the role of humans is unclear in the longer-term extinction pattern, it is clear that factors such as deforestation, habitat destruction, hunting, the introduction of non-native species, pollution and climate change have reduced biodiversity profoundly.' (wiki)

"I think the bottom line is, what kind of a world do you want to leave for your children," Andrew Smith, a professor in the Arizona State University School of Life Sciences, said in a telephone interview. "How impoverished we would be if we lost 25 percent of the world's mammals," said Smith, one of more than 100 co-authors of the report. "Within our lifetime hundreds of species could be lost as a result of our own actions, a frightening sign of what is happening to the ecosystems where they live," added Julia Marton-Lefevre, IUCN director general. "We must now set clear targets for the future to reverse this trend to ensure that our enduring legacy is not to wipe out many of our closest relatives."--

"The wealth of the universe is for me. Every thing is explicable and practical for me .... I am defeated all the time; yet to victory I am born." --emerson

no need to confuse 'religion' with being a spiritual being. our soul purpose here is to care for one another. failing that, we're simply passing through (excess baggage) being distracted/consumed by the guaranteed to fail illusionary trappings of man'kind'. & recently (about 10,000 years ago) it was determined that hoarding & excess by a few, resulted in negative consequences for all.

consult with/trust in your creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land." )one does not need to agree whois in charge to grasp the notion that there may be some assistance available to us(

boeing, boeing, gone.

From TFS (3, Funny)

vegiVamp (518171) | more than 3 years ago | (#33649508)

"refrain from social media altogether until the problem is resolved"

I've been doing exactly that, and intend on keeping to do that until the problem of Twitter has been resolved.

mocking illiterate editors is too easy (2, Informative)

sribe (304414) | more than 3 years ago | (#33649538)

This could easily be muted into a more sinister attack.

mute |myot|
verb [ trans. ]
1 (often be muted) deaden, muffle, or soften the sound of : her footsteps were muted by the thick carpet.
  muffle the sound of (a musical instrument), esp. by the use of a mute.
  figurative reduce the strength or intensity of : his professional contentment was muted by personal sadness.
2 turn off (the sound on a television, telephone, or other appliance) by activating the mute : he turns the set on, mutes the sound, but flicks through the channels.

mutate |myott|
verb
change or cause to change in form or nature : [ intrans. ] technology continues to mutate at an alarming rate | [ trans. ] the quick-dry solution really worked, even if it did mutate the skin on her fingers to reptilian scales.
  Biology (with reference to a cell, DNA molecule, etc.) undergo or cause to undergo change in a gene or genes : [ intrans. ] the virus is able to mutate into new forms that are immune to the vaccine | [ trans. ] certain nucleotides were mutated.

Web Interface Exploit? (1)

andr00oo (915001) | more than 3 years ago | (#33649560)

Exploit? I can't see that this is any worse than what the Twitter Web Interface (or any other Twitter interface) was designed to do.

Already done (0)

Anonymous Coward | more than 3 years ago | (#33649812)

refrain from social media altogether until the problem is resolved

Hey, they found my solution, then again, since I never know when it is vulnerable, I just avoid it altogether.

Curing Retweet Viruses (1)

rakuen (1230808) | more than 3 years ago | (#33649890)

It seems this one has been fixed already, but if you get infected in the future, here's one way to fix it so you at least won't spread the plague too much. Other methods exist, but this is how you could do it if for some reason you only wanted to use Twitter's main webpages.

1) Make sure you've got a script-blocker, such as NoScript.
2) Disable scripts from Twitter and TwitImg (or whatever the image server is, I can't check it now).
3) Navigate to twitter.com/USERNAME#
4) Right now, you lack a lot of Twitter functionality, but the Undo button should still work. Click it.
5) Twitter should tell you it's attempting to undo. Wait a few moments, and then refresh.
6) Repeat 4 and 5 until you successfully cure yourself.
7) Don't use Twitter again until the exploit is fixed.
8) NOW you can restore your original settings.

HAHAHAHAHAHAHA (0)

Anonymous Coward | more than 3 years ago | (#33650110)

What a stupid, senseless pieces of garbage. And for what purpose are all of these social engineering, I mean networking, sites.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...