MoTB #23: TwitterCounter/TwitterRemote Reflected XSS vulnerabilities

What is TwitterCounter
“Just as TwitterCounter could be described as Feedburner for Twitter you could say that TwitterRemote is like MyBlogLog for Twitter. ” (TwitterCounter about page)

Twitter effect
TwitterCounter can be used to send new tweets and reply to other Twitter users.
TwitterCounter is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
Over 830,000 unique visitors per month (According to Compete) – 4 twits

1) Vulnerability: Reflected Cross-Site Scripting in the Country page.
Status: Unpatched.
Details: The TwitterCounter country page does not encode HTML entities in the “timezone” variable, which can allow the injection of scripts.
The vulnerability was also submitted, and publicly disclosed by d3v1l.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://twittercounter.com/pages/country?time_zone=XXX%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

2) Vulnerability: Reflected Cross-Site Scripting in the iframe.php page.
Status: Unpatched.
Details: The TwitterRemote iframe.php page does not encode HTML entities in the query variables, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://twittercounter.com/remote/iframe.php?username_owner=xxx&users_id=3351429&nr_show=6&hr_color=cccccc&a_color=709cb2&bg_color=;color:expression(alert(‘xss’))
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #22: CSRF in StockTwits

What is StockTwits
“StockTwits is an open, community-powered idea and information service for investments. Users can eavesdrop on traders and investors, or contribute to the conversation and build their reputation as savvy market wizards. The service takes financial related data – using Twitter as the content production platform – and structures it by stock, user, reputation, etc.” (StockTwits about page)

Twitter affect
StockTwits can be used to send tweets and follow other Twitter users.
StockTwits is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
82nd place according to “The Museum of Modern Betas”. – 2 twit

Vulnerability: Cross-Site Request Forgery in the update JSON page.
Status: Patched.
Details: The StockTwits update JSON page did not use authenticity code in order to validate that the HTTP post is coming from the StockTwits web application.
Screenshots:

Vendor response rate
The vulnerability was fully fixed 22 hours after it has been reported. Excellent – 5 twits.

MoTB #21: Multiple vulnerabilities in Ping.fm

What is Ping.fm
“Ping.fm is a simple and FREE service that makes updating your social networks a snap!” (Ping.fm home page)

Twitter affect
Ping.fm can be used to send tweets by sending them via their website, email, or SMS.
Ping.fm is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
8th place in the most used twitter clients – 4.5 twits

Vulnerabilities
1) Cross-Site Request Forgery in the SMS Phone No. Settings page.
Status: Patched.
Details: Ping.fm SMS phone number settings page did not use authenticity code in order to validate that the HTTP request POST is coming from the Ping.fm web application.
This could have been used by an attacker to send tweets on behalf of its victims, by simply sending an SMS to Ping.fm.

2) Reflected Cross-Site Scripting in the “Ping This!” page.
Status: Patched.
Details: The Ping.fm “Ping This!” page did not encode HTML entities in the “link” variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://ping.fm/ref/?link=xxx%22+style=”color:expression(document.body.onload=function(){alert(‘XSS’)})
Screenshot:

Vendor response rate
The vulnerabilitles were fixed several hours after they have been reported. Excellent – 5 twits.

MoTB #20: Insecure communication vulnerability in twhirl

What is twhirl
“twhirl is a desktop client for the Twitter microblogging service. Most of the features available on the Twitter website are accessible through twhirl, too.” (twhirl about page)

Twitter effect
twhirl can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.
twhirl is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
One of the most popular Twitter clients. 7th place in the most used twitter clients – 4.5 twits

Vulnerability: Insecure communication vulnerability in the update proccess.
Status: Unpatched.
Details: twhirl does not use a secure communication when it checks for updates. An attacker who controls the victim’s network (e.g. via public WiFi, compromised DNS servers, etc.) can tamper with the request to http://www.twhirl.org/version.xml, and replace the values of both “version” and “installerURL” XML entities, in order to force a display of fake (malicious) update.
This vulnerability can be used by an attacker to install malware on its victims machines.
Screenshot:

Vendor response rate
The vendor (Seesmic) have decided not to confirm this as a vulnerability. Seesmic claims that they “do not believe this exploit is possible due to the way Adobe AIR binaries are signed at compilation time with private keys to create both an ApplicationID and a PublisherID”. While this might be true, an attacker can:
1) Direct the user to automatically install old signed version of twhirl, and then exploit other vulnerabilities that were patched by newer versions.
2) Use an unsigned binary, which might cause the automatic download to fail. In this case, the user will follow twhirl’s request (See above screenshot) and manually download and run the malicious executable.
Instead of applying a one character fix to this vulnerability (by simply adding an “s” to the HTTP request), Seesmic have decided to ignore my continuous requests to fix this vulnerability. Very poor – 0.5 twits.

MoTB #19: CSRF+XSS vulnerabilities in Talker

What is Talker
Talker is a Hebrew theme for Israeli twitter users (Talker home page)

Twitter effect
Talker can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Talker is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
Even though it’s operated by one of the biggest Israeli portals and TV channel (Nana10), it has only several thousands users – 1 twit

Vulnerabilities:
1) Cross-Site Request Forgery in the update forms
Status: Patched.
Details: Talker update forms did not use authenticity code in order to validate that the HTTP requests are coming from the Talker web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.

2) Reflected POST Cross-Site in the Subject page.
Status: Patched.
Details: Talker subject page did not encode HTML entities of the subject query string, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Screenshot:

Vendor response rate
The vulnerabilities were fixed 4 days after they have been reported to the vendor. Moderate – 3 twits.

MoTB #18: Persistent XSS vulnerability in tr.im

What is tr.im
“tr.im is an established URL shortening service that prepares great-looking short URLs for services like Twitter. If you send URLs out on Twitter, tr.im is not only the best name, it is one of the shortest.” (tr.im about page)

Twitter effect
tr.im can be used to send tweets with the shortened URLs through a form on their website.
tr.im is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
Yet another Twitter shortening service. Not as popular as others in this market – 2 twits

Vulnerability: Persistent Cross-Site in tr.im Referrer statistics page.
Status: Unpatched.
Details: tr.im does not encode HTML entities of the referrer URLs
which can be easily manipulated by attackers, and can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
This vulnerability was submitted by Mike Bailey.
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #17: Persistent XSS vulnerability in mobypicture

What is mobypicture
“Directly share your photos, text, audio and videos with all your friends on your favorite social sites: facebook, twitter, flickr, vimeo, and more!” (mobypicture home page)

Twitter effect
mobypicture can be used to send tweets by uploading new photos, or posting comments on existing photos.
mobypicture is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Yet another Twitter photo sharing service. 27th place in the most used twitter clients, according to “TwitStats” – 3 twits

Vulnerability: Persistent Cross-Site in mobypicture picture view page.
Status: Patched.
Details: mobypicture did not encode HTML entities of the uploaded picture details (title, description, etc.), which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Screenshot:

Vendor response rate
The vulnerability was fixed 2 hours after it has been reported. Excellent – 5 twits.

MoTB #16: HelloTxt Persistent XSS

What is HelloTxt
“HelloTxt lets you update your status and read your friends’ status across all main microblogging and social networks all at once.” (HelloTxt about page)

Twitter effect
HelloTxt can be used to send tweets to other Twitter users.
HelloTxt is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
16th place in the Top 100 Twitter services of The Museum of Modern Betas Labs – 4 twits

Vulnerability: Persistent Cross-Site in HelloTxt profile page.
Status: Patched.
Details: HelloTxt did not encode HTML entities in the username information updated by the user, which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Screenshot:

Vendor response rate
The vulnerability was fixed 3 days after it has been reported. Moderate – 3 twits.

1 2 3 4 5