David Naylor has discovered a cross-site scripting (XSS) vulnerability in Twitter and Twitter’s efforts to patch the exploit have not been ineffective thus far. Twitter recently added rel=nofollow (meaning that Google would ignore these links for its indexing purposes) to the links that take you to a third-party Twitter application’s website.
In the tweet above you will see the text “about 17 hours ago from twitterfeed” below the actual content of the tweet. The text “twitterfeed” is a link to the page twitterfeed.com and it is these links that now have rel=nofollow on them.
Naylor stumbled upon a this vulnerability when he was trying to remove the nofollow from an application’s link and found out that, not only was this possible, he could also inject javascript into the link, meaning that it could potentially be exploited for malicious purposes, such a stealing login information. This exploit is particularly dangerous because it is executed as soon as a person visits the page of a Twitter user employing this vulnerability, it does not require the person to click on the link itself. The Twitter accounts @apifail and @apifail2 were set up to demonstrate this exploit by launching a pop-up window but not doing anything malicious, but both accounts have now been suspended.
Twitter attempted to patch this exploit by prohibiting the use of spaces in the link to an application’s website, but this patch was easily circumvented and the exploit continues to work.
The best way to protect yourself from this exploit is to use a third-party Twitter client, such as TweetDeck or Seesmic Desktop, and not to visit the Twitter pages of people you do not know and trust until this vulnerability is correctly patched. If you use Firefox, you could also install the NoScript add-on which would stop the exploit from executing if you were to visit an infected Twitter page.
Do Twitter and Blogs Really Drive hardware sales?