Twitter has had a lot of embarrassing security problems in the past, but the worst part is that they still haven’t learned from their mistakes. Apparently a recent redesign left the profile page vulnerable to a very simple XSS attack.
Some enterprising hacker quickly seized the opportunity to promote Twitter-clone StalkDaily by infecting the profiles of hundreds of users, and using their accounts to Tweet marketing messages such as “Join www.StalkDaily.com everyone!”. StalkDaily denies any responsibility for the XSS attack. The source-code for the worm is available, and reveals just how simple this attack really was.
Here is a little free advice for the developers at Twitter: install xss-shield, or start using h() to escape user-supplied strings in your templates. Since the field that was vulnerable to cross-site scripting and allowed this worm to propogate was supposed to be a URL, it might not hurt to validate that against a simple regular expression while you’re at it.
I’ve lost count of the number of security breaches Twitter has had in the past few months. The question now is whether they’ll hire a competent web security architect and clean-up their act.