Latest Web, Design and Development News
Twitter Meltdown
This morning a hack was discovered on Twitter to inject functionality into links – as you hover your mouse over them they trigger their action.
After starting with benign ‘proof of concept’ pop-up messages, this swiftly moved to messages that self-replicate. Hovering over one reposts it from your account. These messages were being styled to appear as black-blocks (to attract a curious mouse hover) and then enlarging the text size so that it filled the screen (impossible not to hover your mouse over).
This seems to affect the Twitter web client (and presumably any API usage that doesn’t do cleansing). So using a 3rd party client (e.g. TweetDeck) is the safe course of action right now- the replication is unlikely to stop until Twitter install a fix and this hack has the potential to damage as well as being annoying.
Technical detail:
http://somelink.com/@”injection/
is converted to
<a href=”http://somelink.com/@”injection/>http://somelink.com/@”injection/</a>
‘injection’ can include JavaScript (e.g. onmouseover=”{submit status}” / onmousemove=”{action}”) or inline code (e.g. style=”{huge text size}”)
Example injection here.
I’d advise not messing about with your own test cases. I think you’ll be risking a Twitter ban.
[Thanks @ethicalhack3r for confirmation of the hack].
Categories: Front Page and tags: Twitter, vulnerability
1 Comment
Forthcoming Events (end of September)
Events over the next couple of weeks that may appeal to design / tech folk:
23/9 (Thu) – 27/9 (Mon) – Render 10: An exibition of new media works.
24/9 (Fri) – The Geekest Drink: Social gathering of Newcastle’s geekerati.
27/9 (Mon) – SuperMondays: GroupCamp / breakout sessions.
30/9 (Thu) – Codeworks – “The Battle”: Competitive design event.
1/10 (Fri) – Parallel Worlds: Literary / philosophical conference.
Give me a shout if you’d like to meet and chat at any of them!
Categories: Front Page and tags: events
Leave a comment
Diaspora – Early release code receives criticism
The team behind Diaspora, the open source social network mooted as a ‘privacy aware’ competitor to Facebook, has released their first pre-alpha source code.
It seems to have attracted a salvo of criticism from outside developers – some labelling the security problems as deep-seated and requiring a full rewrite, others criticising the adoption of their specific open source license – implying it is parasitic.
It highlights some the issues with opening code, particularly on a high-profile project. The intended development community needs to feel respected and enthused, otherwise the only outsiders interested in pulling apart the code will be those with malicious intent.
Further Reading:
Article: Diaspora’s “open Facebook” source code riddled with security issues
Categories: Scrapbook and tags: Diaspora, open source
Leave a comment
Scrapbook area
I’ll be posting useful and controversial web articles that I find on my travels in this section.
Categories: Scrapbook
Leave a comment
News blog launched!
I’ve installed a blog to keep you up to date with my latest projects, skills and availability.
I’ll also be posting articles of interest to web developers and notice of local events I think will be worth attending.
In case you’re curious – it’s a WordPress install that I’ve created a custom template for.
Categories: Front Page and tags: this site
Leave a comment