tweet api_Twitter受成千上万条Tweet蠕虫攻击

tweet api

Twitter has fixed a cross-site scripting (XSS) vulnerability which caused thousands of messages to spread throughout the system. Unbelievably, the security flaw was exposed by a simple JavaScript onmouseover function call. It was first exploited by zzap and judofyr following posts by RainbowTwtr earlier today:

Twitter已修复跨站点脚本(XSS)漏洞，该漏洞导致成千上万条消息在整个系统中传播。 令人难以置信的是，此安全漏洞是通过简单JavaScript onmouseover函数调用暴露出来的。 它是由zzap和judofyr于今天早些时候在RainbowTwtr的帖子中首先利用的：

Passing your mouse over the message caused a JavaScript alert and, within hours, spammers were using the flaw to redirect to other websites, change backgrounds, and retweet messages. Fortunately, Twitter fixed the problem before spammers could attempt to steal cookies or load larger JavaScript payloads from external websites.

将鼠标移到该消息上会导致JavaScript警报，并且垃圾邮件发送者在数小时内就利用该漏洞将其重定向到其他网站，更改背景和转发消息。 幸运的是， Twitter在垃圾邮件发送者试图从外部网站窃取Cookie或加载更大JavaScript有效负载之前解决了该问题 。

It should be noted that the bug affected Twitter.com and, potentially, third-party systems opened in a web browser. Security company F-Secure advised users to use applications such as TweetDeck until the problem was fixed. However, all users would have seen rogue tweets.

应当指出，该错误影响了Twitter.com，并可能影响了在Web浏览器中打开的第三方系统。 安全公司F-Secure建议用户使用TweetDeck之类的应用程序，直到问题解决。 但是，所有用户都会看到流氓推文。

The system was affected for several hours and a search for onmouseover reveals the extent of the flaw. A few issues surprise me:

该系统受到了几个小时的影响，对onmouseover的搜索显示了漏洞的程度。 一些问题使我感到惊讶：

1. Why didn’t Twitter take down the service immediately?
   Twitter为什么不立即取消该服务？
2. Why wasn’t user input fully sanitized? We all make programming mistakes, but this was a fairly fundamental problem.
   为什么用户的输入没有被完全清除？ 我们所有人都会犯编程错误，但这是一个相当基本的问题。
3. Why wasn’t the flaw found sooner? (Perhaps it was introduced in a recent update?)
   为什么不早发现缺陷？ (也许它是在最近的更新中引入的？)

Please tweet me with your answers. On second thoughts…

请用你的答案发给我 。 回头一想…

翻译自: https://www.sitepoint.com/twitter-xss-worm-attack/

tweet api