
New Twitter exploit about goats – how it works. - js4all
http://www.wait-till-i.com/2010/09/26/new-twitter-exploit-how-it-works/
======
aberkowitz
Nothing fixes an exploit faster than the threat of embarrassing sexual
messages.

------
xentronium
> Twitter allowing updates through the API via IFRAMES and GET

Total amateurs. I hope those guys didn't have the guts to say anything about
diaspora. Because disallowing GET updates is, like, third page on network
security book.

~~~
frognibble
It is also an error to assume that disallowing GET for updates adds any
security. I recommend reading about cross site request forgery. CSRF is the
type of attack used on Twitter today.

~~~
xentronium
Never said it did.

~~~
natrius
Yes, you did. You said that not allowing GET requests to change data on a site
is commonly covered in network _security_ books. It's not a security issue,
it's a behavior issue. GET requests are supposed to "safe" in that they don't
result in changing any data on the site[1]. Breaking that expectation can
result in all sorts of unintended consequences, such as unintended changes
caused by link prefetching.

The article is also subtly wrong. GET requests can be protected from CSRF
attacks. There just isn't ever a reason to do that if you're doing things
right.

[1] <http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html>

~~~
xentronium
1\. "Never said it did _prevent CSRF_ " -- probably should have clarified.

2\. You're arguing about semantics. CSRF is a security issue. Being able to
send updates without user's knowledge is a security hole too. Backed up by a
wrong behaviour if you wish. I should never forget that HN is a Serious
Business.

None of the above mentioned makes twitter guys any less lame.

