XSS exploit - otherwise known as "Escaping for Dummies"

This morning I noticed a really weird issue with my twitter timeline, a bunch of posts with html in them, with things like "onmouseover".

I use a twitter client - either on my android phone or echofon in firefox, so the javascript didn't actually affect me, it simply was annoying.

A quick search revealed that Sophos had just published an article about an onmouseover exploit at (and the new as well)

What is apparent is that everyone and their brother is suddenly exploiting this. There's the exploit that retweets, one that tries to send direct messages to an account, one that redirects a twitter user's profile to porn sites.

Since there is nothing yet from twitter about the issue, stay off of for now, clients appear to be unaffected.

If you've already had issues - Matt has instructions on how to clean things up.

And remember - no matter how long you've been programming, ALWAYS escape your user data!


Be the first to write a comment!

Post a Reply