Yesterday was a big day in Washington, and for your White House Press Corps: big votes on "Don't Ask Don't Tell" and the DREAM Act, the six-month anniversary of the Affordable Care Act, elections looming in the distance -- in short, lots to talk about. But first! Twitter! Will it cause the next 9/11? The White House Press Corps is concerned!
But before we get into that, let's explain what happened to Twitter, for the benefit of all you good people who are resolved to live a life free of microblogging. For that, we turn to Ars Technica:
Anyone checking twitter.com this morning was probably greeted with a mess of JavaScript, mouseover effects, and spam retweets, after a flaw in the site's handling of hyperlinks allowed attackers to inject scripts into Twitter's pages. The mere act of visiting the site with scripting enabled was sufficient to cause exploitation. Payloads ranged from the harmless--tweets with a black background--to the more malicious--redirection to porn sites.
The flaw was classified as a cross-site scripting (XSS) bug. Due to an error in the way that Twitter processed messages, it was possible to include JavaScript in tweets, and that JavaScript could then do more or less anything, including sending more JavaScript-containing tweets. The technique was devised last night by Twitter user Magnus Holm. Holm says that he didn't find the XSS flaw itself, but he appears to have been the first to write a worm that exploited it.
Generally, Web applications that incorporate text from untrusted sources should ensure that text is safe before displaying it to people. Today's flaw was a result of a failure to do that correctly. The twitter.com website converts URLs in tweets into clickable hyperlinks. However, if that URL contained an "at" symbol (@), the conversion process was not handled properly, converting part of the URL into JavaScript embedded into the page. Because this JavaScript is embedded in pages on twitter.com, it has free and unfettered access to other website features, including the ability to send tweets. This allows embedded JavaScript to propagate itself further, hence forming the basis of today's worms that saw many tens of thousands of tweets sent automatically.
Twitter has since fixed this flaw in its service, which could be fairly said to have been a small inconvenience to a lot of people for a brief period of time.
Ars Technica had its piece on the matter up at 11:03 A.M. yesterday morning and it's a real pity that no one in the White House Press Corps was aware of it, because in the briefing, they sort of let their imaginations run wild!
Q: And on another subject, Twitter had a bug this morning.
MR. GIBBS: I noticed.
Q Yes, you did. (Laughter.)
MR. GIBBS: I still don't know what happened. I just emailed the tech guys and said I don't know what just happened. But I don't know whether it was -- there were a lot of characters and letters that didn't seem to line up into anything.Q Can you pause in actually using Twitter to disseminate information from the White House?
MR. GIBBS: Well, pretty safe to assume that all those letters and numbers and what have you, I don't know that -- I don't know what that disseminated. I didn't seem to make any look like -- look -- I was going to say, look like a scene out of the movie "War Games." I don't know what -- no, I don't -- look, you know, from time to time, I have no doubt that there will be those that want to gum up the system and things like that. I don't hesitate to continue to use it. I thought I'd done something horrific to my own computer and quickly made sure I didn't spill anything on my keyboard or -- because at one point on my computer it just had people's names on Twitter and then all of their --
Q Personal information.
MR. GIBBS: Well, no, all of their -- all of their message was blacked out as if the whole thing was redacted. I thought that was -- at first I thought that was somebody's message and I thought, I don't know what that means, but that's kind of funny. But then I realized it was happening to half my messages.
I've no idea where the idea that "personal information" was exposed came from. As Ars Technica points out, the extent of the maliciousness ranged from blacked-out tweets to redirection to porn sites. But why should the actual facts get in the way of a good scare!
Q But why doesn't that concern you, that there might be some sort of security breach in the messages that you're disseminating from the White House, that this could be scrambled or misinterpreted or redirected in some way?
MR. GIBBS: Well, again, since the words didn't equal -- since the combination of letters and numbers didn't actually equal a message, I'm not worried about that code being misinterpreted.
Basically, yes. This was a security breach of Twitter, not a security breach of the White House. It scrambled and misinterpreted and redirected messages from a whole lot of people. Rational people understand that their Twitter friends probably didn't mean to send them weird redacted messages and links to porn sites. The Twitter worm did not have access to state secrets and it is not like that terrible Kristin Bell movie, where monsters in our cellphones jump into washing machines and attack us.
Eventually, Gibbs settled the matter by pointing out that technology gets disrupted from time to time, and if we got terrified at every turn by hacks and malware we'd all be writing on "parchment." "It's just the vagaries of doing business," said Gibbs. And soon, the White House Press Corps was doing what they do best, pressing the spokesman of the leader of the free world on the relative merit of using Slurpees as a campaign metaphor -- you know, the People's Business.
[Would you like to follow me on Twitter? Because why not? Also, please send tips to tv@huffingtonpost.com -- learn more about our media monitoring project here.]