Ed Bellis – ClearText

UPDATE: Rsnake tells me I got the “90″ right. Unfortunately, it was minutes and not seconds. Still an impressive response, but not quite Light Speed Remediation.

In a recent post I talked about how Twitter was being used for customer service and public relations by various companies with a few real world success stories. I mentioned in the post some of the talk around Twitters up time, which it seems anyone associated with the service has talked about in some form. They have certainly had their share of recent problems.There’s even been a sub-culture created around the infamous “Fail Whale”.

Well, here’s a Twitter story with a much more positive twist. Yesterday, I received one of Twitters standard “following” messages regarding a new follower:

Taken out of context, this could be a frightening message . Having met him, it was actually a good thing. But, of course, having @Rsnake join Twitter can only mean one thing: Twitters vulnerabilities are about to be found out. And this is exactly what happened.

The next few minutes went like this:

Yes, that’s right, it took about 2 hours to identify and exploit a XSS vulnerability on Umusic which in turn was a trusted domain by Twitter. Handy work indeed. But what actually impressed me more, was the response from Twitter:

OK, this was a pretty straight forward, simple fix, but nonetheless this is still impressive. Quick work made of security, something I love to see. To Recap: Rsnake signs up for Twitter, adds a bunch of friends and finds a reflective cross site scripting vulnerability with proof of concept in about 2 hours. The good folks at Twitter see Rsnake’s post, respond and close the vulnerability in about 90 seconds! Nice job by all involved.

I wish it was always this pleasant and smooth.