back to article Twitter blames website upgrade for re-introducing XSS hole

Twitter said it identified and fixed the cross site scripting flaw that led to meltdown on Tuesday a month ago, only to undo this fix with a later web site update. The revamp - which reintroduced a flaw that meant JavaScript could be injected into Tweets - was unrelated to the recent introduction of New Twitter. The cross-site …


This topic is closed for new posts.
  1. Anonymous Coward


    Why is this referred to as 'cross-site' scripting a lot, there's only one site involved?

  2. Ian Ferguson

    Six hours to fix a XSS flaw?

    SIX hours? To block javascript from tweets, considering they've done it before?

    I call bullshit - I think all their engineers were asleep from 2am to 7am.

  3. Craig 12

    'Fix' is a stretch

    I noticed this morning that the pop-up profile box is missing from hovering @names in tweets, so I guess they just removed all JS stuff like for a little while until they sort it properly.

    I think there were some malicious variants. Some definitely attempted to compile information via DMs

  4. Rogerborg

    In what way was it an "attack"?

    There was no signal to disrupt with the noise.

    I'm sure there were some engineers on shift, but anyone with a high enough pay grade to actually make a decision about deploying a fix would be either snoozing or too busy trying to figure out how to actually make some money off of Twitter.

  5. Matt K


    "creating hundreds of thousands of spam message in the process"

    Isn't that business as usual for Twitter?

  6. Darryl

    What's the issue?

    Personally, I'd prefer watching a Rick Astley video to reading people's random inane spews on Twitter

  7. fase

    Leaked memo

    Twitter execs to engineers: "Way to go XSS holes!" ;)

This topic is closed for new posts.

Other stories you might like