Twitter, everyone’s favorite useless yet addictive global away message service thing, seems to have been exploited by a user. Whenever someone visits twitter.com/x and is currently logged into their Twitter account, their Twitter message will say something along the lines of “Looking at Bon’s Twitter page”. I fell victim to this earlier today after I saw a friend’s Twitter say that.
I looked around the page source and other included files with FireBug but I didn’t see anything resembling a possible XSS exploit. As of this writing, it seems like the page no longer changes your message. This whole thing made me realize how powerful the exploit or whatever you want to call it could have been, considering many people have their Twitter status embedded on their website.
This is similar to how many people have MyBlogLog badges on their site and the recent exploit for free advertising.
PaulStamatiou.com runs on the Thesis Theme for WordPress
Thesis is the search engine optimized WordPress theme of choice for serious online publishers. If you’re a blogger who doesn’t understand a lot of PHP, Thesis will give a ton of functionality without having to alter any code. For the advanced, Thesis has incredible customization possibilities via Thesis hooks.
With so many design options, you can use the template over and over and never have it look like the same site. The theme is robust and flexible enough not only to accommodate a site like PaulStamatiou.com, but also to enable the site to run far more efficiently than it ever has before.
Stumble This
{ 1 trackback }
{ 8 comments… read them below or add one }
Yeah I saw it too from your Twitter…and got hit by the little exploit.
24 is HOT tonight! Yeah, I saw your message earlier and kinda raised an eyebrow.
Hmm, I don’t use Twitters HTTP interface, just use it’s handy little AIM bot. But mind telling me your Twitter username?
It’s in my sidebar… hover over the title.
Hey there; I work on Twitter, just following up on this issue.
We previously allowed GET requests to update a user’s status message, which allowed people to maliciously construct embedded links that would automatically change your status. We now require that statuses are updated via HTTP POST requests, which prevents this sort of attack.
This sort exploit is fairly common, and exists on many popular websites. I expect that we’ll see more of this sort of thing in the next year, as we have in the past (e.g., Google Web Accelerator).
Thanks for the update Blaine.
Talking about twitter, did you try Twitterrific by Iconfactory?
Sumeet, I’m using it now – very nice app.