XSS flaw discovered on Twitterby Steve Ragan - Jun 25 2010, 14:00
Praetorian Prefect has a write-up focused on a persistent Cross-Site Script (XSS) flaw discovered on Twitter by a user known only as '0wn3d_5ys'. The discovery, while first reported via the Prefect blog, was made on June 21.
The flaw itself resides in the application name field within the form used to register a new Twitter application. For example, when you see a post on Twitter that came from TweetDeck, the post tells you so, and lists TweetDeck by name.
Last August, James Slater discovered an XSS flaw in the Twitter Application form within the field used to register the URL used by the application. This is what will send you to the TweetDeck website, if you stick with our example and click the name of the application.
“Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do,” Slater explained at the time, pointing out why the XSS flaw was something serious.
“Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure,” he added.
Twitter said it had fixed the flaw Slater disclosed, but when he checked, it turned out that all Twitter did was prevent spaces from being added to the Application Website field where the XSS was first discovered.
This was seen as a partial fix at best, leading to the claim from Slater that Twitter completely missed the point of the disclosure.
In May, Twitter was forced to react and close a bug that allowed anyone to be forced to follow another user by sending a message with the word "accept" followed by the Twitter username without the @ symbol (i.e., accept SteveD3).
Earlier this afternoon, The Tech Herald reached out to Twitter to check on the status of the recent XSS flaw - It said it is aware of the issue, and has fixed it for new applications. From there, the micro-blogging service said it is still working to fix the flaw for all applications.
“This might be Twitter’s first serious cross site scripting vulnerability since the beginning of this year. Twitter has to correct this quickly as it was public knowledge before this post, and has been for days,” the Prefect blog noted.
More details from the Praetorian Prefect can be viewed here.