My first WordPress birthday

Seriously, does it get cooler than this?

Tweet from @wordpress: Happy Birthday, @nacin! Thank you for all you do for @wordpress and the community.

Normally I enjoy the dozens of Facebook wall posts I get on this date every year, many from friends I don’t hear from too often. But there’s something really special about the dozens of mostly random tweets and retweets 1 wishing me a happy birthday and thanking me for my hard work. It makes me feel proud of the work we do and the impact we have doing it.

I only got involved in the WordPress community late last year. A year ago, I could never have imagined where I am now. I love what I do as a core developer. It’s crazy. And it looks like WordPress loves me back, too. Thanks Jane for the tweet, and so many of you in the community for the birthday wishes! 🙂

If you want to pitch a little my way in support my contributions to WordPress, I’ve added a donate page that includes a link to a newly minted but woefully incomplete Amazon wish list.

Jane only really thought about doing this recently, but there were two other birthdays in the last two weeks I would be remiss not to mention: good friends and fellow WordPress contributors Daryl Koopersmith and Dion Hulse. I’m now 22, Daryl is 21, Dion is 23, so we’ve got quite a bit ahead of us and I don’t think we’ll be going anywhere anytime soon.

Notes:

  1. And the new followers courtesy of the @wordpress account’s 77,000 followers! 🙂

CSRF attack strikes Twitter

I mean, who didn’t see this coming?

Twitter allows a URL to send a tweet. Many sites and retweet buttons and such rely on it. No POST, no nonce, nothing. Just a simple HTTP GET triggers a tweet. Clearly, someone was going to exploit this eventually.

Authentication is not the same as intention. You can’t just determine that a user is allowed to do something, but also that they intended to do something. When intent is not established, and especially when the form can be submitted via a GET request, it makes these kinds of exploits child’s play, as you can see by the complete exploit code below. It’s called a cross-site request forgery, or CSRF (or XSRF).

How do you determine intention? You’ll want to avoid accepting information over GET, but really that does nothing. Next step would be to check the HTTP referrer, but those can be spoofed. Since that isn’t foolproof, then you need to use something like a nonce check, like what we use in WordPress. For Twitter to secure the site from a CSRF vulnerability, they’ll be breaking a lot of embedded tools and buttons on many, many sites, so for now, they’ve apparently disabled the share endpoint that was exploited.

For the WordPress developers out there, probably the best read out there is this post by Mark Jaquith, from four years ago. It still applies as if it was written yesterday. For the non-WordPress developers, it’s still a great read as it explains what’s really going on, how WordPress prevents it, and why intention is important (if that isn’t obvious enough).

Once again, Twitter users are victims, thanks to the lack of basic security practices.

Update: Check out TechCrunch’s coverage. They quote a certain commenter who explained the issue. 🙂

Here’s the exploit:

<script type="text/javascript">
var el1 = document.createElement('iframe');
var el2 = document.createElement('iframe');
el1.style.visibility="hidden";
el2.style.visibility="hidden";
el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location;
el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with%20goats";
document.getElementsByTagName("body")[0].appendChild(el1);
document.getElementsByTagName("body")[0].appendChild(el2);
</script>