Twitter Javascript vulnerability: t.co links?

The twitter.com website was allowing naughty Javascript to be presented to users for a short while, and it looks like the t.co url shortener was to blame. The Javascript appears to be injected into tweets that are shortened via Twitter's own url shortening service, and includes a mouseover event that fires off a tweet of its own, propagating the 'virus' to your followers.

Twitter have now sorted out the affected tweets and issued an all-clear. Here is the notice on their status page:

We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.

We expect the patch to be fully rolled out shortly and will update again when it is.

Update (6:50 PDT, 13:50 UTC): The exploit is fully patched.

If you don't already use a desktop client, use twhirl to sign in to your account and remove any offending tweets the virus might have sent on your behalf.

To be honest, it does make you think: people/businesses have come to rely on Twitter as a communication channel if things go wrong, but what if Twitter itself goes wrong? There should always be a contingency in place, within reason.

Here are some tweets about the topic:

For your convenience, here is Twitter's status feed: Timeout on http://status.twitter.com/rss
No channel data


Comments

It's quiet in here...Add your comment