[Update : The open XSS vulnerability has been patched.]
Month of Twitter Bugs kicks off with bit.ly vulnerabilities.(IMG:J.Anderson)
The Month of Twitter Bugs (MoTB) kicked off this morning with four vulnerabilities for the popular bit.ly URL service. The bit.ly service, the second most popular URL service used on Twitter according to Tweetmeme.com, is vulnerable to a single XSS attack on URL information pages created by the service. There were three other XSS attacks, but those were all patched before disclosure.
The list of bit.ly vulnerabilities starts with an XSS (Cross-Site Scripting) issue in the URL Query parameter used by the service, and disclosed by Mario Heiderich back in May. Initially fixed shortly after it was disclosed, the MoTB project’s creator Aviv Raff discovered that was only a partial fix. What happened, according to the MoTB disclosure, was that bit.ly simply stripped the < > characters from the URL Query parameter, instead of encoding HTML entities. After several discussions, Raff said that they fixed the problem.
The second vulnerability, disclosed by Mike Bailey on June 24, was patched on Tuesday (June 30). The vulnerability centered on the use of script-tags inside a document. Bailey explained it as an interesting quirk, one in all browsers, but after some digging discovered the bit.ly XSS.
Browsers will locate the script-tags before evaluating the JavaScript within, so injected tags will force the browser to end a block of code and throw a phase error, Bailey said. At the same time this allows, “…you to start a new block of unquoted (and therefore, executed) code.”
In Bailey’s discovery, he speculated that using this vector of attack could lead to browsing history compromises, tampering with a user’s bit.ly settings or Twitter account abuse because bit.ly uses the Twitter API.
Another bit.ly XSS vulnerability fixed on Tuesday centered on issues in the username field of the login page. Initially reported by Mario Heiderich on June 21, the vulnerability centers on stored DOM data on the bit.ly website, which could later be retrieved by JavaScript, Heiderich’s report is here .
The last vulnerability, submitted to the MoTB project on June 25, remains unpatched. The flaw allows for XSS in the content-type field of the URL information page of the biy.ly service.
“Whenever a URL of a website gets shortened by bit.ly service, an information page is created for the URL, with statistics and metadata about the website. One of the metadata information being stored by bit.ly is the content-type response header of the shortened URL page. This information of-course can be easily changed,” Raff wrote. A live example of the flaw is here .
The number of vulnerabilities and the fact it took bit.ly a month and a half to correct three out of four, earned them a response rate of “very poor,” according to the MoTB site.
In his final thoughts on the bit.ly vulnerabilities, Raff pointed out that the service has a large user base, “However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs...”
The full breakdown of Day 1 of the MoTB is here. The project is expected to run the month of July .
Comment on this Story