Twitter fixes dangerous link exploit

Twitter logoTwitter today was hit by a wave of Tweets exploiting a bug in the way it handled URLs. Twitter have just fixed the issue, which previously could be exploited simply by posting a URL of the form:

http://twitter.com/anythinggoeshere#@”onmouseover=”javascript:alert(‘test’);”/

Of course, the above example is harmless but the bug essentially allowed for arbitrary JavaScript to be executed, allowing the poster to do much nastier things. Twitter applications were not vulnerable to the bug.

Cross-site-scripting attacks are a real worry for any major website and protecting aginst them is not an easy task. Malicious code must be filtered out when the user submits any text. The most basic attacks are easy to prevent e.g. attempting to submit:

<script type="text/javascript">alert("hello");</script>

This can be prevented simply by escaping the HTML tags or recognising the script tag and removing or disallowing it. More complex attacks may use different character encodings to fool filters or place scripts inside tags users are allowed to use. In the Twitter case, it seems the exploit focused on the way in which it handled internal URLs. Some relatively simple filtering could have seemingly prevented this issue ever arising.

This entry was posted in JavaScript and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>