back to article Flaw makes Twitter vulnerable to serious viral attack

Micro-blogging site Twitter suffers from a potentially devastating vulnerability that forces logged-in users to post messages of an attacker's choice simply by clicking on a link. It could be used to spawn a self-replicating worm. The XSS, or cross-site scripting, error was discovered by Secure Sciences Corp researchers Lance …


This topic is closed for new posts.
  1. Mike Flugennock

    Why am I not surprised, nor am I getting worked up about it...?

    I mean, c'mon, people...after all, what _are_ the first four letters in "Twitter"...?

    Thankyuh, thankyuhvurymuch.

  2. Jeremy

    TinyURL have pulled the link

    Surprising really. They didn't nuke the phpinfo() thing for yonks (have they even done it yet?) but they yanked that URL in a matter of hours. Funny, eh?

  3. John Thomas
    Thumb Down

    It's just a XSS issue.

    Send an email to and move on. I hate white-hat sensationalists.

  4. jake Silver badge

    @Dan G

    "Flaw makes Twitter vulnerable to serious viral attack"

    Twitter and the like (facebook, myspace, youtube, et alii) ARE serious viral attacks. That's why they are blocked at the boarder routers for all the companies I consult for ...

  5. David Edwards

    @ Jake

    Surley you know that blocking access to these sites is a breach of employees human rights. Youll be telling me next that you expect them to turn up on time.......

  6. Anonymous Coward
    IT Angle


    Blocked at the routers? By IP? That's not really going to work if anyone uses a public proxy server, is it?

    Viruses are best dealt with by A/V and IDS, not IP blocking. So you block YouTube. Great. What about, which is linked off a Google search?

  7. Anonymous Coward

    seen this before?

    Brilliant.. I can see the messages now...

    I've been biten by a vampire.. http:\\

    this could be self propegating via followers..

    its not the end of the world though...

  8. Chris Miller

    It's just XSS

    Please don't dismiss XSS as a trivial non-event. If you're a bank (are there still any banks?) it's pretty serious. Even if you just require a logon before letting customers download your PDF brochures, you may still be revealing their passwords - and if they use the same passwords for other apps, like 90% of users ...

    At the very least you make your organisation look incompetent - the commercial cost of that only you can decide. And where there's an XSS vulnerability, can SQL Injection be far behind?

    @DanG: "boarder routers", I think I'll use this alternative spelling from now on.

    <insert obligatory "arr-harr, standy by me buckos" comment here>

  9. Edward Miles


    Noscript, noscript, noscript, noscript

    That is all.

  10. John Fredrickson

    Viewing Short Urls

    Or you could use a service like to view your Twitter stream. Tweetree follows through all the short urls and pulls in their final destination and page title so you know what to expect before clicking on it.

  11. jake Silver badge

    @AC 09:43, Chris, David,

    AC: You seem to think I'm talking about toy operating systems ... I mean, seriously, A/V software? WTF? My exact methodology is unimportant. It works. Many other sysadmins do similar. Yes, it could loosely be called "IDS". Using proxies to get around the blocks is a firing offense, even though the attempt would probably be unsuccessful. Remember, these are WORK machines, not toys at home.

    Chris: It was late. Mea culpa :-)

    David: Most people don't understand that company computers belong to the shareholders, not the workers using the machines ...

  12. Anonymous Coward

    How '1990s'

    "A Twitter representative has yet to return our email."

    Because email is _so_ Web-1.0

  13. jake Silver badge

    @AC 19:24

    ""A Twitter representative has yet to return our email."

    Because email is _so_ Web-1.0"

    THAT, my friends, is one of the problems with the Web2.0 crowd. They have absolutely no concept of the history & inner workings of teh intratubes. As a hint to the AC, I was sending and receiving "email" back in the late 70s. From home. Long before the Web existed. For our current standard's roots, metacrawler RFC 821, published in 1982.

    We had instant messaging in the late '70s, too. metacrawler "talk +UNIX" ... Kids these days!

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022