The Tech Herald

XSS flaw discovered on Twitter

by Steve Ragan - Jun 25 2010, 14:00

Praetorian Prefect has a write-up focused on a persistent Cross-Site Script (XSS) flaw discovered on Twitter by a user known only as '0wn3d_5ys'. The discovery, while first reported via the Prefect blog, was made on June 21.

The flaw itself resides in the application name field within the form used to register a new Twitter application. For example, when you see a post on Twitter that came from TweetDeck, the post tells you so, and lists TweetDeck by name.

Last August, James Slater discovered an XSS flaw in the Twitter Application form within the field used to register the URL used by the application. This is what will send you to the TweetDeck website, if you stick with our example and click the name of the application.

“Imagine that for a moment. Simply by seeing one of these tweets, code can be run inside your browser impersonating you and doing anything that your browser can do,” Slater explained at the time, pointing out why the XSS flaw was something serious.

“Perhaps it may simply redirect you to a pornographic website? Or maybe delete all of your tweets? Send a message to all of your friends? Maybe it would delete all of your followers, or worse still, just send the details needed to log in to your account off to another website for someone to use at their leisure,” he added.

Twitter said it had fixed the flaw Slater disclosed, but when he checked, it turned out that all Twitter did was prevent spaces from being added to the Application Website field where the XSS was first discovered.

This was seen as a partial fix at best, leading to the claim from Slater that Twitter completely missed the point of the disclosure.

In May, Twitter was forced to react and close a bug that allowed anyone to be forced to follow another user by sending a message with the word "accept" followed by the Twitter username without the @ symbol (i.e., accept SteveD3).

Earlier this afternoon, The Tech Herald reached out to Twitter to check on the status of the recent XSS flaw - It said it is aware of the issue, and has fixed it for new applications. From there, the micro-blogging service said it is still working to fix the flaw for all applications.

“This might be Twitter’s first serious cross site scripting vulnerability since the beginning of this year. Twitter has to correct this quickly as it was public knowledge before this post, and has been for days,” the Prefect blog noted.

More details from the Praetorian Prefect can be viewed here.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...