Twitter and other services need to address security. You, the user, need to as well.
Yet another Twitter cross-site scripting worm is making its rounds as I type this. It’s a variation on the previous worm that Michael Mooney (Mikeey) confessed to writing not long ago.
Cross-site scripting is a well known security problem that basically allows one page to load things into a user’s browser from one site and then inject code into a page from a different site. The code can be simple HTML or complex scripting. The user at the browser may not even know something is going on!
While it’s easy for a developer to miss vulnerable code, it’s not impossible to check for the holes that allow cross-site scripting. Problem is many do not in their rush to get product out the door.
Twitter had such immediate success it’s very likely they rushed code out the door to keep up with growing demand and thus opened themselves up to the vulnerability. That means that now, however, they have to do that checking after the fact and what vulnerabilities are still there will certainly be found and exploited. Too bad.
The message(s) the new worm leaves say it too well: “Twitter, this sucks! Fix your coding.” “Twitter Security Team Really? You need to be fired.” and “Horrible Coding!”
Of course, the user is not off the hook. Safe browsing is important. This is why I often recommend that people use Firefox with the NoScript add-in running in the background. That completely blocks cross-site scripting and other exploits from running unless you tell them to. Makes some sites look bad but worth the effort when browsing around the wild-west Internet.
For more on cross-site scripting see Wikipedia.