Recently a fairly simple security flaw was found in Twitter's tweeting system that allowed arbitrary Java Script to be executed in a users browser when the mouse cursor moved over the tweet. A number of people are trying to take credit for the discovery of the flaw and a number of worms that have sprung up with the earliest report being of a Japanese developer on the 14th August.
One of twitters users, known by his handle zzap, had been experimenting with the flaw to dynamically change style sheet, show alert dialogs containing cookie information & other messages and write temporary messages into the HTML of another users profile.
Within 2 hours of zzap's harmless tweets worms crafted to execute much larger scripts, as the flaw allowed for Cross Site Scripting (XSS), and started to make their way around twitter, mostly by retweeting themselves.
Twitter has since fixed the flaw by encoding the injected Java Script into harmless HTML when it finds keywords used to create the worms in the first place.
No comments:
Post a Comment