Jonathan Stark's Profile

Hi all -

Great post and great comments. I was glad to see DD's comments because I was thinking precisely the same thing. I recognize that the problem exists, but think it's something that should be addressed by Twitter (or maybe SMS), not every publisher worldwide.

That said, I don't know how Twitter could do anything about it if they want to continue to support updates via SMS. I guess that the idea of "pre-expanding" urls from known shortening services would be a good start. At least then the middleman is removed as a point of failure, etc...

Best,

j

Posted in /blog/2009/apr/save-the-internet-with-rev-canonical.

Sun, 12 Apr 2009 at 17:04:23: Link

Thanks for clearing that up. #1 in particular makes sense to me. I was thinking of it more from the perspective of a site user rather than a site developer.

Posted in /blog/2009/feb/twitter-dont-click-exploit.

Thu, 19 Feb 2009 at 14:23:17: Link

I am sure everyone is going to goof on me, but I don't see the significance of the distinction being made between clickjacking and csrf in this exploit. I get that it's not executed in the same manner, but it could have been csrf just as easily, right? Who cares if I am clicking the actual button or an invisible overlay? Tougher for the target site to defend against, perhaps?

Posted in /blog/2009/feb/twitter-dont-click-exploit.

Mon, 16 Feb 2009 at 22:49:14: Link