Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Aussie Student Responsible For Twitter Exploit

samzenpus posted more than 3 years ago | from the little-troublemaker dept.

Bug 122

bennyboy64 writes "An Australian teen has caused havoc on Twitter by discovering an exploit that hit thousands of users, including Barack Obama's press secretary, and resulted in the tweets of a former British PM's wife linking to hardcore porn, The Sydney Morning Herald reports. Pearce Delphin, who is studying his last year at high school, said that he was surprised that 'so many famous people got infected.'"

cancel ×

122 comments

Sorry! There are no comments related to the filter you selected.

Got a great career ahead of him (2, Insightful)

simonbp (412489) | more than 3 years ago | (#33666904)

Got a great career ahead of him, if he wants...

Re:Got a great career ahead of him (0, Flamebait)

Anonymous Coward | more than 3 years ago | (#33666972)

If by "career" you mean the newest bitch on the prison block, then, yes.

Re:Got a great career ahead of him (0)

Anonymous Coward | more than 3 years ago | (#33666984)

Extradition to the USA awaits the lad upon graduation from high school. Wonder if Gitmo will be his new home?

Re:Got a great career ahead of him (1)

iamhassi (659463) | more than 3 years ago | (#33667996)

Last year in high school, first year in jail.

I'm not a lawyer but I'm pretty sure being "surprised that so many famous people got infected" is not a good legal defense.

"(Twitter) has indicated that it will not press charges against Delphin and has also declined to suspend his Twitter account" [telegraph.co.uk]

Wow sounds like he really lucked out considering the embarassment he caused a lot of big wigs, maybe "i'm surprised" is a good defense? I'll have to use that next time I'm pulled over for speeding: "Officer I'm as surprised as you are I was going that fast, guess I'll just leave now"

Re:Got a great career ahead of him (2, Informative)

Cwix (1671282) | more than 3 years ago | (#33668454)

He made a script that changed CSS, someone else used it for bad purposes. Hes not lucky, hes just a kid playing with computers that stumbled into something.

Re:Got a great career ahead of him (5, Funny)

bsDaemon (87307) | more than 3 years ago | (#33668728)

The 1980s called. They want their curiosity back, you terrorist sympathizer!

What does he have to do with anything? (0, Informative)

Anonymous Coward | more than 3 years ago | (#33666914)

He neither discovered the exploit (it was on someone else's Twitter page) nor did he create the worm that abused it.

Re:What does he have to do with anything? (1, Informative)

Anonymous Coward | more than 3 years ago | (#33667016)

bullshit, it has to be true that he discovered the exploit, netcraft confirms it:
http://news.netcraft.com/archives/2010/09/21/twitter-users-fall-victim-to-new-xss-worm.html [netcraft.com]

Re:What does he have to do with anything? (4, Informative)

jeffmeden (135043) | more than 3 years ago | (#33667452)

Reading comprehension fail.

"zzap appears to have discovered the vulnerability shortly after seeing RainbowTwtr's colourful use of CSS injection to display the colours of the rainbow."

He discovered *someone elses* use of the vulnerability. He then went on to make it more publicly known, and finally lamented the evil that was about to descend upon the twitterverse.

Re:What does he have to do with anything? (1, Informative)

Anonymous Coward | more than 3 years ago | (#33670032)

Correct. The actual exploit was discovered by a Japanese man who also discovered an earlier XSS attack on Twitter's dev servers. This story was manufactured by the Australian media.

Rock On (0)

Anonymous Coward | more than 3 years ago | (#33666916)

He only did everybody a favour by demonstrating the exploit (which is Twitter's fault, not his) in such a harmless way. And if hilarity happens to be a by-product, so be it.

Who caused it? (0, Troll)

MyLongNickName (822545) | more than 3 years ago | (#33666920)

The guy who discovered the exploit, or the coding process which allowed it?

Re:Who caused it? (1, Funny)

Anonymous Coward | more than 3 years ago | (#33666974)

Or in keeping with your sig, Microsoft's fault for not including something like noscript to keep your browser from doing the wrong thing?

Re:Who caused it? (2, Funny)

morgan_greywolf (835522) | more than 3 years ago | (#33667258)

Well, the exploit uses JavaScript. This means that any browser that supports JavaScript does not provide some sort of NoScript facility that's installed and turned on by default would be vulnerable to the exploit.

Which means pretty much all of them.

But you can't even blame the browser; the security of Twitter's site belongs solely to Twitter and their crack website development staff.

Re:Who caused it? (1)

reiisi (1211052) | more than 3 years ago | (#33671328)

Likewise the security of Microsoft OSses.

Microsoft should be fined an equivalent of the cost of all the unrequested commercial mail being transmitted on the internet, and should be required to pay everyone who has to delete more than twenty such mails a week for the time lost to the deletion process.

Microsoft should be required to pay every user whose bank account has been compromised the money lost.

And that's just for starters.

Sure, twitter's coding is bad, but the problem is made much worse by Microsoft's shoddy implementations of prototypes and turning the prototypes into de-facto standards well before the tech was ready.

Re:Who caused it? (1)

catmistake (814204) | more than 3 years ago | (#33667268)

My prefs are set to keep sigs hidden, you insensitive clod!

Re:Who caused it? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33667730)

Your use of that meme was so lame, I am now going to go kick a puppy.

You are not funny, witty or insightful. You are not cool, a nerd, or a socialite.

You are a fucking tool.

Also, I just finished tongue punching your mom's fart box because your dad is a limp dicked loser. I also hear that condition is hereditary. Please remove yourself from the gene pool to preserve humanity.

Re:Who caused it? (0)

Anonymous Coward | more than 3 years ago | (#33667058)

Yeah, when did we start blaming the guy who found the security flaw for the problems caused by it being there?

Re:Who caused it? (5, Insightful)

FuckingNickName (1362625) | more than 3 years ago | (#33667350)

Since the fall of Adam.

Well, you did ask.

Re:Who caused it? (1)

nelsonal (549144) | more than 3 years ago | (#33668658)

A modpoint, a modpoint, my kingdom for a modpoint.

Re:Who caused it? (1)

reiisi (1211052) | more than 3 years ago | (#33671334)

That was not a security flaw. That was an opportunity.

Re:Who caused it? (2, Insightful)

iamhassi (659463) | more than 3 years ago | (#33668056)

"The guy who discovered the exploit, or the coding process which allowed it?"

OH I know this one!!!

What is... the guy that discovered the exploit!

Because see, even though you discovered that the front door was left open it doesn't give you permission to go in. See how that works? Yeah I know it's very confusing, best just to not check if doors are open unless they're doors you own.

Re:Who caused it? (1)

tqk (413719) | more than 3 years ago | (#33670238)

Because see, even though you discovered that the front door was left open it doesn't give you permission to go in.

Agreed. However, what if that door's the Security Entrance for a nuclear power plant (or worse; see Cliff Stoll's "The Cuckoo's Egg")? Isn't it a good thing that people are testing these things? Their actions from then on should dictate their future. Exploit it, or report it to the auths?

Good testers are hard to find. Free, volunteer testers should be welcomed.

There's so much crap going on out there, the authorities can't possibly keep up with all of it (considering their present preoccupation with other things (not going there)).

Re:Who caused it? (1)

pookemon (909195) | more than 3 years ago | (#33670640)

Ok, so you discover the front door is open on your local Nuclear Power Plant. Do you:

(a) Tell every man and his dog the door is open, or

(b) Tell the operator of the power station that the door is open?

A "tester" would go for (b). This guy went for (a).

Re:Who caused it? (1)

tqk (413719) | more than 3 years ago | (#33670938)

I think I suggested the ethical one would try to contact the authorities. (a) is last resort, after they prove ineffectual.

"Responsible" (5, Informative)

iONiUM (530420) | more than 3 years ago | (#33666924)

The summary kind of makes it sound like he's a kid who was looking for exploits and then used it to make a virus. This doesn't seem to be the case at all. According to the TFA he saw some people using CSS in their twitter posts, and wondered if he could use HTML/JavaScript (as I would be too). He found he could, did some experimenting, and his followers then started doing it too and it went viral (the idea), and then some malicious people found it, and went viral (the code).

I assume no punishment is being leveraged against him, but I'm sure many will misunderstand what happened and call for it anyways. Curiosity should be encouraged.

Re:"Responsible" (1)

The MAZZTer (911996) | more than 3 years ago | (#33667156)

Based on how it worked, it was likely using JavaScript to set CSS styles. So it's not really a far leap of logic that other JavaScript would work too (the key was that it couldn't have spaces in it).

Re:"Responsible" (1)

omnichad (1198475) | more than 3 years ago | (#33667260)

The javascript was inserted with an onmouseover (that twitter conveniently put into a specific spot in the HTML). Presumably, the CSS styles were done using a style attribute. I can't say for sure, I forgot what the code for the exploit looked like.

Re:"Responsible" (1)

clone53421 (1310749) | more than 3 years ago | (#33667344)

Likely some CSS style that failed to realize that (despite having no spaces) not only is red"onmouseover="//javascriptgoeshere an invalid CSS colour attribute*, it’s also a security hole if you don’t ensure that it’s properly parsed by the browser as a CSS colour attribute, not an onmouseover event.

*no idea which CSS style was being set, but I used colour as an example

Re:"Responsible" (1)

omnichad (1198475) | more than 3 years ago | (#33668314)

I think you read everything I said and understand none of it. We're talking about the original CSS exploit vs. the JavaScript version. The bug was related to how Twitter parses hashtags when they are part of a URL. Only the javascript version would have used an onmouseover=" secretly inserted into the URL after a hashtag. The CSS exploit probably looked more like www.something.com/#test"style='color: red;'

Re:"Responsible" (2, Interesting)

Inda (580031) | more than 3 years ago | (#33667818)

Forgive my ignorance, as I don't use Twitter, but they're supposed to be massive and they make these sorts of mistakes? It's a simple message board, no?

We were doing this sort of crap on vBulletin boards 10 years ago. Stealing cookies, redirecting, replacing images; all for kicks. After messing about for a week, everyone got bored and we had javascript events blocked on our own board.

Re:"Responsible" (3, Insightful)

ultranova (717540) | more than 3 years ago | (#33668540)

Forgive my ignorance, as I don't use Twitter, but they're supposed to be massive and they make these sorts of mistakes? It's a simple message board, no?

Twitter is a simple message board, but it's accessed with virtual machines that were never designed but just kinda happened - in other words, modern browsers. Combine that with the attitude some people still have that you need to filter - enumerate all bad things and check for them - rather than simply escape the user-input string, and it shouldn't be a surprise that these things keep on happening.

Not that it really matters. An exploited website is like graffiti in real life: much ado about nothing.

Re:"Responsible" (1)

zuperduperman (1206922) | more than 3 years ago | (#33670084)

What rock have you been under? Twitter are famous for total technical incompetence. They could barely keep their site up for years. People used it anyway. Sadly they are now a case study in how technical competence doesn't matter.

Not exactly (5, Informative)

Shyfer (1875644) | more than 3 years ago | (#33666930)

The article says he is the one that discovered the exploit, but he did not create the script that made 'tweets of a former British PM's wife linking to hardcore porn'. Just to clarify.

Re:Not exactly (1, Funny)

Anonymous Coward | more than 3 years ago | (#33667852)

That doesn't even begin to clarify. Is he formerly British or formerly a PM? Is she formerly British or formerly his wife?

Six Degrees (3, Interesting)

TubeSteak (669689) | more than 3 years ago | (#33666934)

Six degrees of Kevin Bacon pretty much ensures that famous people are going to get hit by the same kinds of malware that the rest of us have to deal with.

This is doubly true when the vector is a social networking site.

Re:Six Degrees (2, Interesting)

Culture20 (968837) | more than 3 years ago | (#33667262)

Six degrees of Kevin Bacon pretty much ensures that famous people are going to get hit by the same kinds of malware that the rest of us have to deal with.

Does this mean that Hollywood may not have been designed to route around Kevin Bacon in the event that Global Thermonuclear War takes him out? Can a dead Kevin Bacon star in such movies as "Weekend at Bernie Junior's" or as corpse-extras to keep the connections up?

Re:Six Degrees (1)

Nidi62 (1525137) | more than 3 years ago | (#33667362)

How do you tell the difference in the acting of a live Kevin Bacon and a live one, anyway?

Re:Six Degrees (1)

Nidi62 (1525137) | more than 3 years ago | (#33667378)

ah, damn, between a live Kevin Bacon and a dead one.

Re:Six Degrees (3, Insightful)

The_mad_linguist (1019680) | more than 3 years ago | (#33667654)

See! You can't!

Re:Six Degrees (1)

shadowrat (1069614) | more than 3 years ago | (#33667672)

oh dang! so quick to judge kevin bacon, but his acting was such that you confused the dead one for a live one!

Re:Six Degrees (1)

tsm_sf (545316) | more than 3 years ago | (#33670428)

Hollywood sees Kevin Bacon as damage and routes around him?

But famous people are experts ... (1)

perpenso (1613749) | more than 3 years ago | (#33667400)

Six degrees of Kevin Bacon pretty much ensures that famous people are going to get hit by the same kinds of malware that the rest of us have to deal with.

But famous people are technical experts. That's why we turn to them so often for their opinion and advice on important complicated problems that overwhelm and confuse the average person. ;-)

Re:Six Degrees (1)

hedwards (940851) | more than 3 years ago | (#33667658)

Not really, the fact that they're famous and have huge bank accounts ensures that they will be hit like the rest of us. They're more likely to have some protection than the rest of us, but the pay off is a lot bigger.

who's responsible? (1)

spikenerd (642677) | more than 3 years ago | (#33666938)

Aussie Student Responsible For Twitter Exploit

Discovering an exploit hardly makes him responsible for it. Let's put the blame where it belongs, probably either sloppy coding practices, or high pressure from clueless management to develop software quickly.

Re:who's responsible? (2, Insightful)

Rhacman (1528815) | more than 3 years ago | (#33667112)

He's not responsible for Twitter's bad coding but I would say he acted irresponsibly by toying around with it and exposing it to the public rather than reporting it directly to Twitter staff. If a vending machine malfunctions and lets you get candy out of it without paying, it isn't the customers fault the machine malfunctioned but it doesn't make it right to take the candy or tell everyone in earshot that the machine is giving out free candy. Not saying how I would behave in that situation, just that it wouldn't be right ;)

Re:who's responsible? (3, Insightful)

clone53421 (1310749) | more than 3 years ago | (#33667264)

He didn’t really fathom the extent of the exploit, though. He thought it was just a novel toy to pop up alert boxes when you moved the mouse over the tweet. (Well, he actually got the idea of trying to steal users’ session cookies, but didn’t find a way to do it within the 140-character limit.) The idea that really allowed it to go viral – posting a new tweet – was conceived by someone else.

Hell, I’ve done similar... “oh look, the layout of the page broke after I put a special char in that form element... I wonder if I can make it alert(document.cookie) using that? (sure enough) yup...” The main difference in this case is that (a) it was a massive social networking site and (b) other people could see his experiments and come up with their own little variations on the exploit, some of which were less benign than his experiments had been...

Re:who's responsible? (2, Insightful)

Rhacman (1528815) | more than 3 years ago | (#33667428)

Fair enough that it probably seemed harmless what he was doing, but it was still a mistake to do it even if it was only apparent in retrospect. I'm not saying crucify him, just that he does bear some portion of the responsibility however big or small.

Re:who's responsible? (1)

tqk (413719) | more than 3 years ago | (#33671202)

An idea is not resposible for those who hold it.

Re:who's responsible? (0)

Anonymous Coward | more than 3 years ago | (#33667130)

Leaving my front door open is sloppy and stupid.

Entering without my permission is (potentially, absolutely or likely depending on the jurisdiction) a crime.

Re:who's responsible? (4, Interesting)

spikenerd (642677) | more than 3 years ago | (#33667498)

Your analogy has many flaws. Hackers do not enter your computer. Exploits are not typical methods of entry. Your home is not a service intentionally placed on the web for others to use. Let me see if I can fix it...

Suppose you post a mentally-handicapped guard at your castle gate. When you are gone, your enemy hands him a scroll with instructions and says "These are from your boss. He wants you to do them right away." The instructions tell him to ransack your bed-chamber and run your underwear up the flag-pole. The guard obeys. Who is to blame?

Re:who's responsible? (5, Insightful)

matrim99 (123693) | more than 3 years ago | (#33667762)

...Suppose you post a mentally-handicapped guard at your castle gate. When you are gone, your enemy hands him a scroll with instructions and says "These are from your boss. He wants you to do them right away." The instructions tell him to ransack your bed-chamber and run your underwear up the flag-pole. The guard obeys. Who is to blame?

Twitter.

Oh wait, Microsoft.
No... Google.

Ooooh, Terrorists. Almost had me there.

Re:who's responsible? (1)

interkin3tic (1469267) | more than 3 years ago | (#33668426)

I was going to guess child molesters, the two party system, daryl mcbride, and then idiotic users in that order, but I have no idea what we're talking about so I'm glad you went first. That could have been embarrassing.

Re:who's responsible? (1)

hedwards (940851) | more than 3 years ago | (#33667806)

Actually, that's not entirely true, in CA at least you can trespass on somebody's computer, but only under certain conditions. If you're curious, Intel v. Hamidi is the case you'd want to look up. Just being on the site isn't enough, but in a case like this where he interfered or if the plaintiff can demonstrate that interference is likely it could come into play. It is more or less accepted at both the state and federal level.

Trespass [wikipedia.org]

Re:who's responsible? (1)

syousef (465911) | more than 3 years ago | (#33670786)

Suppose you post a mentally-handicapped guard at your castle gate. When you are gone, your enemy hands him a scroll with instructions and says "These are from your boss. He wants you to do them right away." The instructions tell him to ransack your bed-chamber and run your underwear up the flag-pole. The guard obeys. Who is to blame?

Overzealous equal opportunity campaigners

Re:who's responsible? (3, Insightful)

$RANDOMLUSER (804576) | more than 3 years ago | (#33667178)

...either sloppy coding practices, or high pressure from clueless management to develop software quickly

Dude, that's almost always an AND, not an XOR.

Re:who's responsible? (1)

blair1q (305137) | more than 3 years ago | (#33667228)

He's responsible for discovering that he could change the color of texts.

He's not responsible for cross-linking to porn sites.

And he's no doubt not the first to try it, just the first since Twitter borked their own countermeasures against such things.

Re:who's responsible? (1)

thestudio_bob (894258) | more than 3 years ago | (#33667716)

With that kind of logic every executive working at MicroSoft should be in Jail.

Re:who's responsible? (1)

zuperduperman (1206922) | more than 3 years ago | (#33670126)

Except he didn't even discover it. This story is basically a fabrication. He was one person in a long chain who happened to play with it after it was discovered.

This often occurs in the australian media - any time an Australian is remotely involved in something no matter how obscure their role they run it as "An Australian Did Something And Somebody Noticed" which seems to appeal to the masses here.

porn (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33666952)

The problem with porn is that Americans do not like seeing naked dick on their screen.  It goes against what the country was founded on... Christianity.  In fact, Jesus was caught carpet munching Mary in the corner of the Cave as Judas walked in.  Judas betrayed Jesus by eating his load instead of Mary.

Re:porn (0, Redundant)

inerlogic (695302) | more than 3 years ago | (#33667008)

+1 Informative

Re:porn (1)

Pojut (1027544) | more than 3 years ago | (#33667144)

I guess this was the "inout, inout" part of the bible referred to in A Clockwork Orange...?

Re:porn (0)

Anonymous Coward | more than 3 years ago | (#33667200)

It probably did happen, or something like it. What we're left with is always an urbane view of history.

Famous (1)

lymond01 (314120) | more than 3 years ago | (#33666992)

Famous people don't use Twitter.
Twitter makes people famous.

Followed by the other related quote:

There's a sucker born every minute.

I'd say Twitter is responsible. (2, Insightful)

Beelzebud (1361137) | more than 3 years ago | (#33666994)

It's their site, their code, and they set the rules.

Shocking! (1)

DarthVain (724186) | more than 3 years ago | (#33667100)

You mean twitter is actually useful for something?

Virus or exploit (4, Interesting)

stimpleton (732392) | more than 3 years ago | (#33667134)

"so many famous people got infected."

I am not a vegetarian, but I get annoyed at people that proclaim "I am vegetarian. I only eat fish, cheese, and chicken."

Similarly, anyone who was exposed to the computer wrecking virus's of the 90's thru to 2002, know what "infection" really means. I am not a low level coder, only high level languages in a business environment, but I do wonder what some old skoolers must think when they read about a piece of HTML Javascript being described as "Infection". I am vegetarian, I will eat steak only if its well done.

Re:Virus or exploit (1)

blair1q (305137) | more than 3 years ago | (#33667300)

Actually, anyone who was exposed to Syphilis in the 18th century knows what "infection" really means, and it wasn't known as a disease of the rich for nothing.

Re:Virus or exploit (0)

Anonymous Coward | more than 3 years ago | (#33667434)

"Actually, anyone who was exposed to Syphilis in the 18th century knows what "infection" really means, and it wasn't known as a disease of the rich for nothing."

Actually, anyone who was exposed to Syphilis in the 18th century is likely dead by now since that was over 110 years ago.

Re:Virus or exploit (1)

blair1q (305137) | more than 3 years ago | (#33667584)

So you're saying it was 100% fatal! Aiieeeeeeee!

Re:Virus or exploit (1)

clone53421 (1310749) | more than 3 years ago | (#33667642)

Egads! Either you’re posting from the year 1910 or you’re likely dead by now!

(“The 18th century lasted from 1701 to 1800 in the Gregorian calendar.”)

Re:Virus or exploit (1)

east coast (590680) | more than 3 years ago | (#33667446)

As a lacto-ovo vegetarian I think dairy is ok.

Re:Virus or exploit (2, Informative)

hedwards (940851) | more than 3 years ago | (#33667838)

Actually, cheese is OK in general for vegetarians. Chicken is never OK for a genuine vegetarian, and the term for somebody that only eats meat in the form of seafood would be a Pescetarian. [wikipedia.org] But since many people are familiar with the term, a lot of them refer to themselves as vegetarian anyways.

Re:Virus or exploit (0)

Anonymous Coward | more than 3 years ago | (#33669856)

But since many people are familiar with the term, a lot of them refer to themselves as vegetarian anyways.

Looks like you an adverb.

Re:Virus or exploit (1)

Dodgy G33za (1669772) | more than 3 years ago | (#33671182)

Strictly speaking most cheese is not vegetarian as it contains rennet (an extract from the lining of a sheep's stomache, the removal of which is pretty much fatal). Which is why you can get vegetarian cheese. Just because many vegetarians choose to be flexible about it, especially when eating out, doesn't make it any more vegetarian than fish or oyster sauce.

haxoring (0)

Anonymous Coward | more than 3 years ago | (#33667138)

How come when these leet websites are hacked that the hackers who hacked it do not put up a picture tubgirl so other people can see it and maybe make them want to delete their account?

I do not understand why hackers who hack into websites do not do more leet stuff

Re:haxoring (1)

denis-The-menace (471988) | more than 3 years ago | (#33667232)

Maybe because they (hackers) don't want to be banned from twitter when they are found out?

Disclaimer: I don't Twat or book faces.

From TFA... (3, Insightful)

clone53421 (1310749) | more than 3 years ago | (#33667162)

After a "little bit of coding", he said he "managed to generate a dialog box containing the data from within the Twitter cookie file". He said "theoretically this could be used to maliciously steal users' account details".

They make it sound difficult to alert(document.cookie)...

But "the problem was being able to write code that can steal usernames and passwords while still remaining under Twitter's 140 character tweet limit", he said.

Ah, so the 140-character limit is actually beneficial in some sense!

What I liked (0)

g0bshiTe (596213) | more than 3 years ago | (#33667216)

FTFA

He said it was Twitter's responsibility, not his, to keep the site secure.

That defense won't work. If you found this on say the NSA website, or Microsoft, don't you think they are gonna prosecute your ass for unauthorized use of a computer system. This would be akin to running blind sql injection on websites, and using that as a defense when you got caught.

Re:What I liked (2, Interesting)

Superken7 (893292) | more than 3 years ago | (#33667338)

please read the rest of TFA, not just that sentence.

He just discovered it but did not exploit it in a malicious way. It was others who did that. I don't think he needs any "defense" for doing an alert('uh oh');

He probably means that its their responsibility that others abused the exploit that he did NOT write.

Re:What I liked (2, Insightful)

vux984 (928602) | more than 3 years ago | (#33667340)

This would be akin to running blind sql injection on websites, and using that as a defense when you got caught.

Little Bobby Tables strikes again. ;)

http://xkcd.com/327/ [xkcd.com]

Re:What I liked (2, Informative)

conspirator57 (1123519) | more than 3 years ago | (#33667346)

would you prefer it hadn't been found and exposed so it can be fixed?

or would you prefer that unknown criminals were the ones exploiting it fraudulently?

because with a latent bug like this, those are the choices.

Re:What I liked (1)

conspirator57 (1123519) | more than 3 years ago | (#33667372)

err... yeah. change that first line to "had been"

Re:What I liked (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33667510)

or would you prefer that unknown criminals were the ones exploiting it fraudulently?

As long as it only affects Twitter Twats, yes I would.

Not completely patched (2, Interesting)

wbav (223901) | more than 3 years ago | (#33667382)

I just found that in search results, twitter appears to be still affected by this bug. [youtube.com]

The video is still processing but should be up soon.

Shame on twitter (1)

atisss (1661313) | more than 3 years ago | (#33667464)

Don't they check for identical messages repeating rapidly?

Re:Shame on twitter (1)

wbav (223901) | more than 3 years ago | (#33667522)

Because it would be difficult to have the javascript rewrite its self each time it posted?

That's not to say your idea is without merit, it just isn't a complete solution.

Re:Shame on twitter (1)

atisss (1661313) | more than 3 years ago | (#33667898)

well, 140 signs are quite limiting.

I'm not saying that it's the ultimate protection, however this should be one of basic measures to detect appearance of new bots, viruses, etc.

Re:Shame on twitter (0)

Anonymous Coward | more than 3 years ago | (#33671050)

Aren't most tweets just retweets of what other twits tweeted?

Wtf? (1)

X.25 (255792) | more than 3 years ago | (#33667466)

"Exploit"? What, exactly, he "exploited"?

Hey, look at an "exploit" that makes shit posts, and has no value in relation to security whatsoever.

But yeah, he has a great career ahead of him, and he's next security wizard?

No wonder everyone left security industry, and you're left with monkeys interested in Twitter/Facebook only...

Re:Wtf? (1, Funny)

Anonymous Coward | more than 3 years ago | (#33667960)

Yeah, well, he can write a book now and every IT manager and CISO will gobble it up and adjust their entire strategy because it is written by a guy whose name they saw on the news... as long as he mentions the word "cloud" in there somewhere of course.

This kid did what exploit hunters do (1)

Stan92057 (737634) | more than 3 years ago | (#33667902)

This kid did what exploit hunters do, release code to the internet knowing it can be used for criminal purposes. And if hes smart enough to be messing around with the code then he should have been smart enough to figure it will be used for bad purposes. Thats what history of releasing exploits tell me anyways. And some say its twitters fault,well its not twitter who is paying, its the exploited users that pay. I think those who have the knowledge have a mush more responsibility to NOT abuse there knowledge. This kid abused his knowledge,knowing other could use the exploit for bad purposes.

Re:This kid did what exploit hunters do (2, Insightful)

HornyBastard (666805) | more than 3 years ago | (#33668930)

"This kid did what exploit hunters do, release code to the internet knowing it can be used for criminal purposes."

According to that logic, if i stab you in the face, the guy who sold me the knife is responsible.
This kid did not do anything wrong. All he did was let people know about the bug.

car analogy:
All he did was put a flyer in your window saying that if you switch on the headlights and the radio at the same time, your car will explode. He is now responsible if somebody else uses that knowledge to blow up a lot of cars.

He never exploited.. (2, Insightful)

munky99999 (781012) | more than 3 years ago | (#33667910)

He found the exploit... he didnt exploit anything. He is thusly not responsible at all. The mischievous users and twitter are the ones responsible.

This is exactly the kind of scenario (4, Interesting)

Dracos (107777) | more than 3 years ago | (#33667968)

This is exactly the kind of scenario I envisioned last week [slashdot.org] . This kid's intent wasn't malicious, but think of what a blackhat could do with the HTML5 ping attribute, directing many thousands of twitter users all hammering a single site (and url shortening sites go down as collateral damage) to death. It could originate from any social networking site.

The ping attribute needs to be dropped or considered much more carefully.

Re:This is exactly the kind of scenario (3, Insightful)

clone53421 (1310749) | more than 3 years ago | (#33668040)

think of what a blackhat could do with the HTML5 ping attribute, directing many thousands of twitter users all hammering a single site (and url shortening sites go down as collateral damage) to death. It could originate from any social networking site.

And that’s any worse than, say, sending them all to a pastebin page that will repeatedly download all the images from the target website?

Re:This is exactly the kind of scenario (1)

Psaakyrn (838406) | more than 3 years ago | (#33671188)

Nah, drop Twitter. Much more effective.

Danish newspapers claims Norwegian boy did it (2, Informative)

FreakCERS (517467) | more than 3 years ago | (#33668362)

According to this article http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=da&tl=en&u=http%3A%2F%2Fpolitiken.dk%2Ftjek%2Fdigitalt%2F1065381%2Fnorsk-dreng-fik-twitter-i-knae%2F [google.com] (google translated) it was a Norwegian boy who discovered the bug. Not that it really matters, I suppose...

Re:Danish newspapers claims Norwegian boy did it (1)

Dodgy G33za (1669772) | more than 3 years ago | (#33671212)

Of course it bloody well does. Aussie national pride is involved. Bloody Norwegians think they can take this one away from us they have another thing coming. *grabs beer from the fridge and pulls up a chair* . . Actually, I just noticed that the Australian is from Melbourne, so the Norwegians are welcome to it :o)

Good thing (1)

gringer (252588) | more than 3 years ago | (#33670594)

It's a good thing they just used onmouseover rather than onload. That would have been quite a chaotic mess.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>