Twitter.com XSS exploit - otherwise known as "Escaping for Dummies"

This morning I noticed a really weird issue with my twitter timeline, a bunch of posts with html in them, with things like "onmouseover".

I use a twitter client - either on my android phone or echofon in firefox, so the javascript didn't actually affect me, it simply was annoying.

A quick search revealed that Sophos had just published an article http://www.sophos.com/blogs/gc/g/2010/09/21/twitter-onmouseover-security-flaw-widely-exploited/ about an onmouseover exploit at twitter.com (and the new twitter.com as well)

What is apparent is that everyone and their brother is suddenly exploiting this. There's the exploit that retweets, one that tries to send direct messages to an account, one that redirects a twitter user's profile to porn sites.

Since there is nothing yet from twitter about the issue, stay off of twitter.com for now, clients appear to be unaffected.

If you've already had issues - http://matthewturland.com/2010/09/21/twitter-xss-vulnerability/ Matt has instructions on how to clean things up.

And remember - no matter how long you've been programming, ALWAYS escape your user data!

Comments

Be the first to write a comment!

Post a Reply