 Persistent XSS vulnerability affecting Twitter promptly corrected
Written by DPSunday, 27 June 2010Indonesian security researcher who goes by the nickname "H4x0r-x0x" (http://www.0wn3d-5ys.co.cc/), has discovered and submitted to the XSS archive, a critical persistent cross-site scripting vulnerability (Script Insertion) on the popular microblogging platform Twitter.com. Malicious people could exploit it to hack other users' accounts or infect them with malware, adware or spyware.
We validated this vulnerability as soon as H4x0r-x0x notitfied us on 24th of June, and published a mirror on 26th of June, when we were sure that it was corrected:
Twitter.com Persistent XSS (Script Insertion) Mirror:
http://www.xssed.com/mirror/67490/
Twitter's security team promptly corrected this security issue.
The flaw was exploitable due to insufficient input validation of the "Application Name" field when registering as developer a new Twitter application.
Although in recent news on SC Magazine USA about this Twitter XSS, Daniel Kennedy from the Praetorian Prefect said “I haven't seen it used by attackers yet, but obviously that can change”, Mikko Hypponen from F-Secure has blogged on June 21 2010 that over 1000 Twitter accounts have been hacked with an unknown method to display "Hacked By Turkish Hackers". It is possible that Turkish hackers have exploited this very Twitter XSS flaw or a related website using the Twitter API...
For more in-depth details about the Twitter XSS read here.
Twitter has been XSSed in the past.
Screenshot
Courtesy of 0wn3d-5ys.co.cc
References:
"Researcher demonstrates Twitter XSS vulnerability" - June 24, 2010 - Angela Moscaritolo - SC Magazine USA
"Persistent XSS on Twitter.com" - June 24, 2010 - Daniel Kennedy, Praetorian Prefect
"Hacked By Turkish Hackers"? - June 21, 2010 - Mikko Hypponen, F-Secure
"XSSED Injection Vuln on Twitter" - June 21, 2010 - H4x0r-x0x - 0wn3d-5ys.co.cc
| 
