Sorry, we could not find the combination you entered »
Please enter your email and we will send you an email where you can pick a new password.
Reset password:


By Thomas Baekdal - September 2010

Important Lesson from Today's Twitter Security Failure

If you have been near Twitter the last couple of hours, you have probably noticed the huge amount of strange tweets. And if you moved your mouse over it, all kinds weird things started to happen - everything from innocent popups, to suddenly retweeting the message, to being redirected to external "adult-oriented" sites.

You can read more about it over at Techcrunch, Mashable, or Sophos (and many other places).

Twitter has now fixed their site, but the problem wasn't specific to Twitter's website - any web app using Twitter is potentially affected. Anything from websites listing tweets, to widgets that you add to your blog.

Most of these works just fine, and was never affected, but every single web developer, using Twitter, needs to check their code.

Also none of the Twitter apps (desktop, iPhone, iPad, Android) apps were affected, because they are not "web" based. Instead they just outputted gibberish into your stream.

So what really happened? (warning you are now entering geek mode)

It's simple. When you use the Twitter API, you get a XML or JSON output with the tweet as clear text. Here is one of the many examples.

Note: This one was the one responsible for most of the retweeting going on (not harmful, but really annoying). There were many others, some much worse than this.

Every web app will then try to find any link in the text, and convert that into something you can actually click on. It is a very simple operation, done all the time, pretty much everywhere.

The problem is if you don't handle URLs correctly, then people can add in extra stuff, like javascript code - exactly what happened on Twitter Today. They simply failed to match a link correctly.

In the above case, the problem was with the quotation mark, but it could be other things too.

The "safe" characters are generally (when converting raw text to links): a-zA-Z0-9;/?:@&=+$,-_.!~*() Anything else isn't part of the link.

Note: For developers, a regex like this (https?|ftp|file)://[a-zA-Z0-9;/?:@&=+$,-_.!~*()]+ works. This is the one I use for all my twitter apps.

Most web apps actually do this the right way, e.g., Seesmic Web didn't have the problem, because they had done it right way to begin with.Actually Something is looking odd in the Seesmic Web screenshot. I don't think they are vulnerable, but they are including the quotation mark.

It is really up to each individual developer. Every web app is vulnerable by default. It's your job as a developer to make sure you are not affected.

Twitter has solved the problem with their site, but in a rather curious way. Instead solving the matching algorithm, they are now simply converting " into &quote;. It works, but it is not really the right way to do it.

Update: Video of the exploit in action (via Sophos)


The Baekdal/Basic Newsletter is the best way to be notified about the latest media reports, but it also comes with extra insights.

Get the newsletter

Thomas Baekdal

Founder, media analyst, author, and publisher. Follow on Twitter

"Thomas Baekdal is one of Scandinavia's most sought-after experts in the digitization of media companies. He has made ​​himself known for his analysis of how digitization has changed the way we consume media."
Swedish business magazine, Resumé


—   thoughts   —


Why publishers who try to innovate always end up doing the same as always


A guide to using editorial analytics to define your newsroom


What do I mean when I talk about privacy and tracking?


Let's talk about Google's 'cookie-less' future and why it's bad


I'm not impressed by the Guardian's OpenAI GPT-3 article


Should media be tax exempt?