Advertisements

 Twitter developer platform search field vulnerable to XSS

Written by DP

Monday, 6 September 2010

*1st UPDATE* - Security researcher Mike Bailey (mckt) has produced a simple proof of concept which silently exploits this XSS. Basically, any Twitter user who clicks on the button will post a tweet reading 

"@mckt_ just compromised my Twitter account with XSS. http://bit.ly/bvnkDB #twitterXSS".

Use it at your own risk:

http://skeptikal.org/exploits/twitter/twitter_xss.html

*2nd UPDATE* - As Stefan Tanase from Kaspersky Labs wrote in the news article "Τwitter XSS in the wild", cybercriminals - maybe of Brazilian origin - maliciously leveraged and exploited this Twitter XSS to steal user cookies and transfer them to two specific servers. According to bit.ly short link statistics, they have managed in a very short time to compromise more than 100.000 Twitter accounts by urging users to click on their link with a short tweet that read in portoguese "Pe Lanza da banda Restart sofre acidente tragico"  (Pop band Restart suffering a tragic accident):

(Screenshot by Stefan Tanase of Kaspersky Labs)

 

(Screenshot by  Stefan Tanase of Kaspersky Labs)

 

Twitter has confirmed the vulnerability is fixed now...

------------------------

This non-persistent Twitter XSS was submitted by "cbr" on July 29, 2010 and has not been corrected since then.

http://dev.twitter.com/search?query=%253C/script%253E%253Ciframe%20src="http://www.xssed.com"%253E%253C/iframe%253E [XSS Mirror]

During the summer period, another three possible XSS attacks on Twitter have been reported:

support.twitter.com persistent XSS vulnerability notified by d3v1l
twitter.com persistent XSS vulnerability notified by 0wn3d_5ys
and one by Billy (BK) Rios...

Important to mention that all were quickly fixed!

Screenshot #1:

 

Screenshot #2: 

 

References:

"Just another persistent Twitter XSS" - DP - 19 Jul 2010
"Twitter XSS bug" - Billy (BK) Rios - 19 Jul 2010
"Persistent XSS vulnerability affecting Twitter promptly corrected" - DP - 27 Jun 2010


        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.