As many people are discovering, Twitter has been compromised, and badly.
It would seem, from what I can piece together from the web sites discussing the problem, the new Twitter interface doesn’t bother to do a little thing called escaping the input so that JavaScript can’t be inserted into Twitter messages. Messages have then been posted that capture the MouseOver event on links and play havoc with the page (if not re-directing you to porn sites).
We’ve been indulgent of Twitter for too long, probably because it’s simple, easy, and free. However, the company’s habit of piling on new additions, without ensuring that they are either robust or secure, has now bit it in the butt. Bit us in the butt, I should say. I frankly have lost trust in the application, and have to re-think if I want to continue using the site and services. At a minimum, I am looking at third party applications rather than accessing Twitter, directly.
Maybe this event is a reminder that Twitter isn’t the only way to communicate; that it’s time to get back to writing. Real writing, with punctuation and words without the vowels removed.
For now, don’t access Twitter until you see all clear messages from reliable sites at Techmeme.
update Netcraft has a nice rundown on the genesis of the problem. And I’m trying TweetDeck for the first time. Don’t really care for it.
second update Why on earth doesn’t Twitter shut down the web site until the problem is fixed? Irresponsible isn’t the word that comes to mind, right now.
third update Supposedly the Twitter XSS exploit was fixed this AM. Oh, but, fa la la!—Twitter also posted some new stuff, so that people are all talking about the cool new stuff—rather than the obvious security flaw the company left in its application, and that it actually left the web site up while fixing the bug.
