Beware The Twitter Black Text

As a web developer, one thing you learn early on is that you can’t trust the user’s input at all. When you ask for a date of birth in mm/dd/yyyy format, people *will* type in September 17th, 1962. When you ask for a number from 1 to 10, people *will* type in “red.” Don’t ask me why, but people do these things. Sometimes it is out of sheer ignorance of what should be entered (either due to a fault of the webmaster’s for not being clear enough or due to the user not reading directions). Sometimes, though, the user will be malicious in nature and will be trying to find holes in your code to exploit.

A common method of attack is called a SQL Injection attack. In layman’s terms, this is an attack that fools the script into running what the hacker wants instead of what the webmaster intended. For example, if the webmaster asked you for your user ID and used that to form a query like “Select * From users Where ID = USERID” (where USERID is the ID you entered), this could be hacked by someone entering “1; Delete From users;”. The “1” would complete the webmaster’s original query and the semi-colon would indicate to the server that another query was coming. Then the Delete statement would delete all data in the database (well, at least the Users table).

Obviously, webmasters would want to take measures against this. To do this, they would check the user’s input against what they were expecting and act accordingly. Using the example above, I could check to see if the data was a number. If the user entered “5”, they would be ok and the query would be run. If the user entered “1; Delete From users;”, their data would either be cleansed (just use the “1” portion) or rejected outright.

So what does this have to do with Twitter? This:

TwitterBlackText.jpg

The black text above hides a Twitter worm working its way through Twitter.com as of this writing. This is similar to the database example above, only in this case it involves Twitter and link formation.

You see, if you’re typing a tweet and say, for example, “I really like http://www.TheAngelForever.com/“, Twitter will helpfully turn the typed URL into a clickable link for you. It does this by detecting where the link is and sticking it in a <a href=”URL”>URL</a>. (The actual code is slightly more complex, but this simplified version will work for now.) This works fine when the typed URL is http://www.TheAngelForever.com/, but what if the URL is this:

http://a.no/@”onmouseover=”;$(‘textarea:first’).val(this.innerHTML);
$(‘.status-update-form’).submit()” style=”color:#000;background:#000;/

Don’t worry. I’ve kept this code from forming a link and split it on two lines for good measure. The first segment (“http://a.no/”) is used to fool Twitter into thinking that the rest of the code is just a hyperlink. Next, a double-quote (“) is used to close out the HTML link section. Now the real “fun” starts. The “onmouseover” tells the browser to run the following code when the user hovers over the link. The code within this section enters the whole fake link into Twitter’s status update box and submits it. This is what makes you tweet that link and thus spread the worm. The remaining section (“style…”) turns the text and background colors to black to hide the text and make it look “censored” (prompting you to hover over it to see what it says). The slash at the end further fools Twitter into thinking that the whole thing is one big URL.

So what should you do if you’ve been hit? Delete the tweet, for one thing. I’d also recommend using a 3rd party application like Seesmic Desktop or TweetDeck until Twitter addresses it. At this writing, the worm is only propogating itself and isn’t otherwise a threat. Still, the code it runs could send you to other websites (which could infect you with malware/viruses/trojans) or do other things to compromise your account/computer. So keep your eyes peeled for suspicious activity.

What can Twitter do? For one, I’d recommend that they escape any double-quote in URLs. If that code was rendered as:

http://a.no/@&quot;onmouseover=&quot;;$(‘textarea:first’).val(this.innerHTML);
$(‘.status-update-form’).submit()&quot; style=&quot;color:#000;background:#000;/

then the worm wouldn’t be able to run its payload. Hopefully, Twitter will act on the fast and prevent any further spread.

UPDATE: Twitter has fixed the bug that allowed this script to run. You can see my non-malicious test tweet here. Notice how the link cuts off before “onmouseover.” This means that the worm is now stopped in its tracks. While an old infection-tweet might cause you to post the link, the resulting tweet won’t be able to spread the worm. In addition, Twitter seems to be deleting the worm where they can find it. Good job, Team Twitter!

#DisneySMMoms 2010 – Bumps and Epcot and Magic Kingdom Oh My! (Day 5, Part 1)

We began Day 5, February 11th, getting the boys and us ready. This was to be a big day. B was headed to the Disney Social Media Moms conference. I, in turn, was going to take the boys with me to Epcot. We weren’t going to be alone, though. We were going to meet up with Tom and TJ while Christina from CutestKidEver went to DisneySMMoms with B.

First, we needed to get breakfast. So we headed to the Polynesian Great Ceremonial House (their main hall) and began surveying our options. After Tom and TJ arrived, I had something selected and we got ready to go. JSL climbed into the stroller and sat down. I began to back up and he decided that this was a good time to get out. He turned around in the seat and, before I could react, slid out of the stroller and slammed his head on the marble floor.

» Read more

Of Tweets and ReTweets

On Friday, March 19th, a few Twitter users started retweeting @CutestKidEver‘s opposition to Congress’ Health Care Bill. There was only one problem. She hadn’t expressed opposition to it at all. In fact, she was expressing anger at the ads opposing it. Here’s her original tweet:

Getting angry at ads misleading people to get them to call Scott Murphy and tell him to vote no on #HCR

Now here’s one of the retweets.

RT @cutestkidever: Call Scott Murphy and tell him to vote ‘NO’ on #HCR

Do you see the problem there? It was even more pronounced when that same person retweeted @ScottFeinberg. Over two tweets, he said:

The following Congressmen are still undecided about health care reform, which needs 6 more votes. Call and urge them to vote "Yes!"

Rep. Scott Murphy (D-New York’s 20th District) at (202) 225-5614

The retweet said:

RT @ScottFeinberg: Tell Murphy "NO" Rep. Scott Murphy (D-New York’s 20th District) at (202) 225-5614

First of all, let me get one thing out of the way. This post is not about the pros or cons concerning any Health Care bill. So please save your "It’s horrible! / It’s fantastic!" comments for another post. (In fact, I delayed this post until after the Health Care vote hoping to avoid most of those comments.) Why did I highlight those tweets, then? Well, it’s all about the Retweet.

You see, for the longest time, retweeting was an informal process. You’d copy the person’s tweet and username, add an "RT" in front of it, perhaps a comment after it, and off it went. To standardize things, Twitter recently added a retweet function that takes the whole tweet and puts it in the timeline of that user’s followers.

I’ll be honest. I didn’t like this change. No longer could I comment within a RT. It was an adjustment to recognize that the strange person appearing in my timeline was from a RT. Luckily, I didn’t need to bother with it because I used Seesmic Desktop. Hitting the retweet option gave me the familiar "RT @Username Original Message" pre-filled tweet. But then Seesmic Desktop began using the new Twitter RT method. Now, I had to copy/paste the message or select Quote Message (which was one level deeper than retweet).

I really didn’t see the need for this new retweet method. Why replace "RT" (with the ability to comment inline with the original message) with the "intruding tweeter" method? Well, after CutestKidEver and ScottFeinberg’s experiences, I can see one very good reason. While I still can see much utility in the old method, it could easily be used, intentionally or unintentionally, to misquote somebody. And once a misquote is made, it can spread like wildfire with more and more people retweeting the misquoted tweet. Before long, thousands of people could read the original misquoted tweet.

The new RT method is immune from misquoting. You simply can’t use Twitter’s new RT method and turn someone’s support for something into opposition (or vice versa). The problem that CutestKidEver and ScottFeinberg experienced couldn’t happen using the new RT. In the end, I don’t think I’ll be a complete convert to the new RT method. I still like adding my own comments from time to time, but I now can see the importance behind the new method and why Twitter went that route versus incorporating the previous method.

Beware the Twitter Follower Scam

While browsing through various tweets, I saw this one. Intrigued, I clicked through. There, I was presented with a video explaining how, if I joined this website, I would get thousands of followers *AND* get paid. Of course, my “scam alert” sirens went off immediately. Here’s the basic run down. First, I would give them my Twitter username and password. (*siren blares*) After that, everyone who had previously joined the system would be automatically set to follow me and I would be set to follow all of them. Next, for each person that I convinced to join, I would be paid $10 per month per user you convince to join. (*siren blares*) And how much for this “wonderful opportunity”? Only $1. (*siren stops blaring but only because it has overloaded and exploded in a humongous fireball*)

» Read more

Tiny Copyrights and Defamatory Tweets

Recently, two news stories caught my eye. The first involves a ruling by the European Court of Justice (ECJ). The case involved a newspaper clipping service called Infopaq. People would sign up with Infopaq and specify what keywords they wanted to keep an eye out for. Infopaq would then scan in articles, find the keywords, and print a listing with those keywords, the five words before and after the keywords, where the article appeared and how far down in the article the keywords appeared. The Danish newspaper industry took exception with this business plan and sued. Infopaq claimed that since their scanning was temporary (they didn’t print whole articles out, just the 11 word snippets), they fell under the copyright exemptions. The Court, however, ruled against them.

The worrying part isn’t that they were dinged for scanning the articles. That, I would have almost expected. Instead, they were dinged for 1) using 11 word snippets and 2) clients being able to print out the snippets. The Court found that 11 word snippets were still covered by copyright law. To give you an example of how ridiculous this is, I’ll quote an 11 word snippet from the article about the ruling: “means that there is a risk that the reproduction will remain”. According to the Court, since you, the reader, could print this blog post out and keep it indefinitely, I’ve now committed copyright infringement.

Of course, I live in the US, so I doubt the ECJ could do anything against me. Still, given the propensity for nations to follow one another over the copyright madness cliff, something like this worries me. Were the “11 word snippet” ruling to be used widely, services like Google News would go dark. Simple quoting from a source (a necessary part of research and protected by Fair Use) would land one in a big, boiling pot of copyright lawsuit soup. I’m not sure what appeals options Infopaq has, but if they have any, let’s hope that this ruling is overturned.

The other story that caught my eye was the tale of Amanda Bonnen from Chicago. Frustrated with her apartment situation, she did what many of us would do: She tweeted about it. Specifically, she wrote: “Who said sleeping in a mouldy apartment was bad for you? Horizon realty thinks it’s OK.”

Now, many fine companies monitor Twitter and would have taken her complaint as an opportunity to turn bad PR into good by working with her to formulate an appropriate resolution to her. Not Horizon, though. They sued her for $50,000 in defamation damages claiming that because her Twitter profile was public, her 53 character tweet was published “throughout the world.” That’s almost $1,000 in defamation per character! Horizon probably didn’t win any PR points for their “We’re a sue first, ask questions later kind of an organization” quote either.

Of course, a classic Streisand Effect has occurred. Had Horizon just ignored her, her tweet would have vanished amoung the millions posted around that time. At most, a few of her friends might have retweeted it before it faded into obscurity. (A Google Cache check shows that she had a mere 17 followers.) Instead, major news organizations, blogs and other websites have picked up the story. People are tweeting and retweeting about it much more than Amanda Bonnen would ever have been able to do by herself. Horizon should ask themselves whether suing her for $50,000 over this 53 character tweet was the appropriate action since it caused much more “defamation” than the original tweet did.

The lesson here for companies: Don’t be a sue first, ask questions later kind of institution. Work with your customers for a positive outcome. Then, even if you need to resort to ignoring the person’s problem or (as a last resort) sue them, you can point to your good faith efforts to work with them. That will soften any “big bad company suing a poor defenseless person” PR blow and you might even come out on top PR-wise.

The lesson for users: Don’t assume that what you post on Twitter (or on your blog, Facebook, etc) is just between you and a close-knit group of friends. Don’t say anything online that you wouldn’t say into a microphone in front of a full football stadium of people. This doesn’t mean you should live in fear over being sued for every little tweet/post/update, but keep in mind that you are putting this stuff out on a public network. Don’t say “Housing Co Landlords stink” when “my landlord stinks” would suffice or when “Tried to work with Housing Co Landlords to resolve my problem, but getting frustrated” would be more descriptive.

1 3 4 5 6 7