September 21, 2010

There were 3 posts published on September 21, 2010 (this is page 1 of 1).

Summer’s over

The sun went down this evening on the last day of summer, 2010. I can’t say I’ll miss it, though I was so looking forward to it when we were in the midst of one of our coldest winters here last winter. So we went from the 6th coldest winter ever to the hottest summer ever. That’s crazy.

We went to lots of swim meets, went on a few greenway rides, spent time at the pool, took a long weekend at the beach, went sailing all of one time, but if you asked me if we made the most of the summer I would have a tough time answering that. The oppressive heat really wasn’t fun, and given a sunny but hot day we would most likely lie low. It’s tough to get motivated to do something outside when one’s energy is sapped the moment one steps out the door.

So bring on fall, I say. Cooler weather means more outdoor activity. Fewer mosquitoes. It also means one of the most beautiful times of year to be in North Carolina. I love it, and look forward to a nice fall season.

Feeling better

Well, the sick I felt the other night is now mostly gone. I’ve cleared my throat several times today but had my energy back and felt far more normal than I had been. With any luck that will be the last cold I get this year.

Twitter infected with cross-site script

This is a serious #fail on Twitter’s part. This morning some clever Twitter user crafted a Twitter tweet that spread like wildfire on the service. Using an attack known as a cross-site script, the exploit soon infectet many thousands of Twitter users.

The Tweet used a simple Javascript code (the “onmouseover” command) to point unsuspecting users to a website at t.co. Then the Javascript dutifully retweeted itself using the following code (modified for safety):

http://localhost/@”onmouseover=”document.getE1ementById(‘status’).value=’RT nobody’;$(‘.status-update-form’).submit();”c1ass=”modal-overlay”/

All a user had to do was run her mouse over the Javascript code and bam, it struck.

Twitter should’ve known better and filtered out posts that include Javascript.

Update: There doesn’t seem to be anything inherently evil about this script. All it appears to do is retweet itself. Still, it shows that the more sites like Twitter and Facebook push page-rendering and other tasks out to the browser using Javascript (or AJAX) there are bound to be security holes.

Twitter has now patched their system so that the attack cannot happen again.