Ryze - Business Networking Get a Coderbuddy developer now
www.coderbuddy.com

"I Highly Recommend Them" - Magnitude.io CEO; US timezone; affordable rates; Silicon Valley leadership
Get your software built!
Buy Ethereum and Bitcoin
Get started with Cryptocurrency investing
Home Invite Friends Networks Friends classifieds
Home

Apply for Membership

About Ryze


Small Business Think Tank
Previous Topic | Next Topic | Topics
The Small Business Think Tank Network is not currently active and cannot accept new posts
Twitter Vulnerability ExposedViews: 1293
Mar 21, 2009 12:01 amTwitter Vulnerability Exposed#

Reg Charie
Twitter is vulnerable to a serious cross-site scripting (XSS) vulnerability that could allow an attacker to hijack users' accounts or, in conjunction with other exploit code, compromise their computers.

Proof-of-concept exploit code has been posted by Secure Science researchers Lance James and Eric Wastl. They say that Twitter has been notified but has not yet responded to them.

More -> http://www.informationweek.com/news/internet/social_network/showArticle.jhtml?articleID=216000011&cid=RSSfeed_IWK_News

Reg - NEW DEMO!! Turn photos into paintings http://FantasticMachines.com
All You Need is Dotcom-Productions and a Dream. http://dotcom-productions.com
0Grief http://0grief.com/special_hosting_accounts_for_my_ryze_friends.htm
CRELoaded websites http://RegCharie.com - SBTT http://thinktank-network.ryze.com

Private Reply to Reg Charie

Mar 21, 2009 4:47 pmre: Twitter Vulnerability Exposed#

Teddy Towncrier


Thanks for this, Reg

There's a ton of add-ons available and reviewing the creators capabilities; It's downright scary about what they're capable of.

I've written a few apps for my own use and which let me accomplish what I need.

"Follow the money" .... Why are they creating so many apps & what really does happen to our personal information?


Bestest.


Teddy Towncrier CPP Towncrier-Media.com Supercharging Your Visions.

Speak with me here Click Here for My Twitter

Private Reply to Teddy Towncrier

Mar 21, 2009 4:58 pmre: re: Twitter Vulnerability Exposed#

Marketing ManagerChuck & Shirley Bartok

I am not a Techie, so I don't understand the
Security Concern regarding Twitter.

Can you knowledgeable Friends elaborate?

What is the Danger of my Twitter account compromised?



Chuck & Shirley Bartok
My Business Card http://chuckbartok.com
Follow me on Twitter http://twitter.com/cjbart
Use Your Own Personal Trainer 24/7 http://focus40now.com

Private Reply to Marketing ManagerChuck & Shirley Bartok

Mar 21, 2009 5:25 pmre: re: re: Twitter Vulnerability Exposed#

Scott Wolpow
Your Twitter account on Twitter is safe. What is not safe are third party applications and links in Twitter posts. In some cases you may be granting access to your machine to others. This is similar to file sharing applications and torrent systems.
These security issues will allow you to be redirected to spoof pages for phishing or to install malware.

Private Reply to Scott Wolpow

Mar 21, 2009 5:30 pmre: re: re: re: Twitter Vulnerability Exposed#

Marketing ManagerChuck & Shirley Bartok

Thank you Scott...maybe that is why I use so few of these Applications.


Chuck & Shirley Bartok
My Business Card http://chuckbartok.com
Follow me on Twitter http://twitter.com/cjbart
Use Your Own Personal Trainer 24/7 http://focus40now.com

Private Reply to Marketing ManagerChuck & Shirley Bartok

Mar 21, 2009 6:05 pmre: re: re: re: re: Twitter Vulnerability Exposed#

Reg Charie
Thanks Scott.

Security is always a concern.
Along with NEVER clicking on an unknown link,I offer the following tips.

As I run a web-server I see my fair share of script insertion exploits.

If you have a website and it has *ANY* kind of a form on it, registration, forums, guestbooks, contact, etc, make sure it is a secure "captcha" (the text shown as a graphic) variety.

Don't put your email address on your site, use a php scripted form for contact options.

Reg - NEW DEMO!! Turn photos into paintings http://FantasticMachines.com
All You Need is Dotcom-Productions and a Dream. http://dotcom-productions.com
0Grief http://0grief.com/special_hosting_accounts_for_my_ryze_friends.htm
CRELoaded websites http://RegCharie.com - SBTT http://thinktank-network.ryze.com

Private Reply to Reg Charie

Mar 21, 2009 6:34 pmre: re: re: re: re: re: Twitter Vulnerability Exposed#

Scott Wolpow
You do not have to use captcha for security purposes, but to prevent spam. What you must have is protection against SQL injection and the likes.

Private Reply to Scott Wolpow

Mar 21, 2009 6:43 pmRe: Twitter Vulnerability Exposed#

Teddy Towncrier


Chuck! ... It's really simple. ...

On the Internet:  IN GOD WE TRUST ... Everybody else is suspect.

I can't address Twitter vulnerabilities specifically except to say that I've researched some of the "App" creators and discovered some are very skilled, cunning and scary and I choose to avoid most of these apps however cute and useful they may appear.

Today's Internet is like free love. ... Unless you're really, really careful; .. You're going to get zapped.   (Not if! ... But rather; WHEN).

In addition to some Industrial strength filters. .... I use dozens of disposable email addys and when there's a hint of impropriety that addy is history.

Another area of danger that we don't have much control over is emails we receive that have been sent to multiple recipients listed on the "To:" or "Cc:" field which results in your address being stored on a dozen or so computers which may not be "Bot Proofed" and we awaken to discover every name in our address book has received junk mail ( .. and worse). from you.

When I receive a multiple recipient or Fwd letter ... The sender (Including friends). gets a polite note with solutions. .... The next time they get a strong note and the 3rd brings a request to remove me from their bulk list and a notice that next time will result in a letter to their ISP.  More..

Another area of vulnerability is "Harvestable" email addresses (EG Mailto:Chickandco@Happiworks.com). on your pages which will be crawled, harvested and sold. .... Tell your Geek that you want non-harvestable contact links on your pages.

Make sure your filters are up to date and you should be OK. TrendMicro's Housecall is a good place to start ... Here

See also ... Your WWW Site is a banquet for stalkers!


Bestest.


Teddy Towncrier CPP Towncrier-Media.com Supercharging Your Visions.

Speak with me here Click Here for My Twitter

Private Reply to Teddy Towncrier

Mar 22, 2009 3:55 pmre: re: re: re: re: re: re: Twitter Vulnerability Exposed#

Reg Charie
Scott,
The captcha prevents robotic script insertion.

Reg - NEW DEMO!! Turn photos into paintings http://FantasticMachines.com
All You Need is Dotcom-Productions and a Dream. http://dotcom-productions.com
0Grief http://0grief.com/special_hosting_accounts_for_my_ryze_friends.htm
CRELoaded websites http://RegCharie.com - SBTT http://thinktank-network.ryze.com

Private Reply to Reg Charie

Mar 22, 2009 5:42 pmre: re: re: re: re: re: re: re: Twitter Vulnerability Exposed#

Scott Wolpow
But you can not use captcha for all your searches and dynamic links. Which in realty are just like forms. Would you use captcha for each time you add to a cart?

Private Reply to Scott Wolpow

Mar 22, 2009 9:07 pmre: re: re: re: re: re: re: re: re: Twitter Vulnerability Exposed#

Reg Charie
You don't need captcha on dynamic links, only on the parts where the the forms have fields for user entered data.

A shopping system need not have a captcha until the script calls for user entered data. (Registration - Payment).

While it is true that security methods on the server's operating system do a lot to reduce the efforts of script insertion, it is still safer to use secure forms.



Reg - NEW DEMO!! Turn photos into paintings http://FantasticMachines.com
All You Need is Dotcom-Productions and a Dream. http://dotcom-productions.com
0Grief http://0grief.com/special_hosting_accounts_for_my_ryze_friends.htm
CRELoaded websites http://RegCharie.com - SBTT http://thinktank-network.ryze.com

Private Reply to Reg Charie

Mar 23, 2009 2:59 am Twitter Vulnerability Exposed#

Scott Wolpow
Except many security issues come from SQL injection issues among other security holes. People spamming you is harmless, unless you click on a link. A SQL injection issue can allow other to use your site for attacks.

Private Reply to Scott Wolpow

Mar 23, 2009 6:02 amre: Twitter Vulnerability Exposed#

Reg Charie
Right you are Scott.
SQL injections use unprotected forms.
A captcha protected form is the first line of defense.




Reg - NEW DEMO!! Turn photos into paintings http://FantasticMachines.com
All You Need is Dotcom-Productions and a Dream. http://dotcom-productions.com
0Grief http://0grief.com/special_hosting_accounts_for_my_ryze_friends.htm
CRELoaded websites http://RegCharie.com - SBTT http://thinktank-network.ryze.com

Private Reply to Reg Charie

Mar 23, 2009 1:14 pmre: re: Twitter Vulnerability Exposed#

Scott Wolpow
If you have a dymanic site and menu items that are dynamic,then each link is a 'form'.

By clicking on a dynamic link you are submiting data. Same if you have a search box.

Private Reply to Scott Wolpow

Mar 23, 2009 5:32 pmre: re: re: Twitter Vulnerability Exposed#

Reg Charie
Yes they are Scott, but it is my understanding that a script insertion bot needs a form field to function and since they cannot submit a captcha protected form the secure forms defeat them.
While a captcha protected form will not stop a person from inserting a SQL hack, the great majority of these are preformed by automated scripts which cannot "read" and fill out the captcha form field.



Reg - NEW DEMO!! Turn photos into paintings http://FantasticMachines.com
All You Need is Dotcom-Productions and a Dream. http://dotcom-productions.com
0Grief http://0grief.com/special_hosting_accounts_for_my_ryze_friends.htm
CRELoaded websites http://RegCharie.com - SBTT http://thinktank-network.ryze.com

Private Reply to Reg Charie

Mar 23, 2009 5:46 pmre: re: re: re: Twitter Vulnerability Exposed#

Scott Wolpow
Script insertion bots can read and modify the dynamic link. It will do this to try and test for weaknesses.

The purpose for my post is for people to realize that a captcha script alone will not mean protection.

Private Reply to Scott Wolpow

Mar 23, 2009 6:01 pmre: re: re: re: re: Twitter Vulnerability Exposed#

Reg Charie
No it won't Scott but it is a first line of defense.

In my capacity as a server manager for my hosting company I see many hack attempts which trace back to unsecured forms.

Quite often these are traced back to "abandoned" forums, guest scripts, or other such software that has not been updated with the latest security patches.

Reg - NEW DEMO!! Turn photos into paintings http://FantasticMachines.com
All You Need is Dotcom-Productions and a Dream. http://dotcom-productions.com
0Grief http://0grief.com/special_hosting_accounts_for_my_ryze_friends.htm
CRELoaded websites http://RegCharie.com - SBTT http://thinktank-network.ryze.com

Private Reply to Reg Charie

Mar 23, 2009 6:15 pmre: re: re: re: re: re: Twitter Vulnerability Exposed#

Scott Wolpow
I have found attempts to use what were known, but fixed exploits in some open source scripts.

In one script for a client who had work done in anotehr country, there was a phone home script. Not sure of the reason, but took it out.

Private Reply to Scott Wolpow

Mar 24, 2009 3:25 pmre: re: re: re: re: re: re: Twitter Vulnerability Exposed#

Kurt Schweitzer
Personally I prefer data entry validation to Captcha. PHP has a nice little "clean" function that strips out the characters that tend to break scripts. I never allow raw visitor-entered data to be parsed as a SQL command, or as a line of PHP for that matter.

Having secure forms isn't that hard to do!

Captcha is most useful (IMO) for registration-type forms where registrants acquire some privileges on the site. I have yet to see Captcha used for quantity fields, site searches, or the like. Or even here!

I think Captcha is not needed except for a few situations.

Kurt Schweitzer
Urban Village Scooters

Private Reply to Kurt Schweitzer

Mar 24, 2009 5:19 pmre: re: re: re: re: re: re: re: Twitter Vulnerability Exposed#

Reg Charie
Kurt,
If you have control over the whole server you can do a lot in a "behind the scenes" manner that is not available to those using shared servers.

Here in Ryze you cannot embed a script in a post as the code is automatically stripped out. Ryze is quite limited in what is allowed.

This would not fly on a shared server as it removes too much functionality.
If it were as 'easy' as using data entry validation why is script insertion such a problem?



Reg - NEW DEMO!! Turn photos into paintings http://FantasticMachines.com
All You Need is Dotcom-Productions and a Dream. http://dotcom-productions.com
0Grief http://0grief.com/special_hosting_accounts_for_my_ryze_friends.htm
CRELoaded websites http://RegCharie.com - SBTT http://thinktank-network.ryze.com

Private Reply to Reg Charie

Previous Topic | Next Topic | Topics

Back to Small Business Think Tank





Ryze Admin - Support   |   About Ryze



Ryze Android preview app

Testing Gets Real: blog on A/B testing, building businesses with feedback loops, by Adrian Scott

© Ryze Limited. Ryze is a trademark of Ryze Limited.  Terms of Service, including the Privacy Policy