MoTB #29: Reflected XSS in chart.ly

What is chart.ly
“Share stock charts on Twitter” (chart.ly home page)

Twitter effect
chart.ly can be used to send tweets and follow other twitter users.
chart.ly is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
A not so popular alternative to StockTwits – 1 twit

Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The chart.ly search page does not encode HTML entities in the “q” variable, which can allow the injection of scripts.
This vulnerability can used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://chart.ly/search?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #28: Reflected XSS vulnerability in tweetburner

What is tweetburner
“Tracking the links that you share on Twitter” (tweetburner home page)

Twitter effect
tweetburner can be used to send tweets with the shortened URLs through a form on their website.
tweetburner is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Yet another Twitter shortening service. Not as popular as others in this market – 2 twits

Vulnerability: Reflected Cross-Site in the shortened URL creation page.
Status: Unpatched.
Details: The tweetburner shortened URL creation page does not encode HTML entities in the “url” variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweetburner.com/links/create?url=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #27: Reflected XSS in Posterous

What is Posterous
“We love sharing thoughts, photos, audio, and files with our friends and family, but we didn’t like how hard it was… so we made a better way. That’s posterous. ” (Posterous about page)

Twitter effect
Posterous can be used to send tweets by sending posts via email, or posting comments on existing posts.
Posterous is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
25th place in the most used twitter clients list, accordint to “TwitStat” – 3.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The Posterous search page did not encode HTML entities in the “search” variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concepts: http://avivra.posterous.com/?sort=bestmatch&search=testing%22%3E%3Cscript%3Ealert%28%22xss%22%29%3B%3C%2Fscript%3E
http://posterous.com/explore/?search=xxx%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E
Screenshots:

Vendor response rate
The vulnerability was fixed 12 hours after it has been reported. Excellent – 5 twits.

MoTB #26: Reflected XSS in Tweeple Pages

What is Tweeple Pages
“Tweeple Pages is a user powered directory of Twitter users organized by their interests. Simply allow the Tweeple Pages application access and you can start discovering other users with similar interests as you!” (Tweeple Pages about page)

Twitter effect
Tweeple Pages can be used to follow and unfollow other twitter users.TweeTube is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
Not a very popular alternative to twellow, wefollow, and other Twitter categorization services – 0.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The Tweeple Pages search page does not encode HTML entities in the “q” variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweeplepages.com/search.php?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #25: CSRF+XSS vulnerabilities in TwitStat

What is TwitStat
TwitStat provides a mobile web interface for Twitter.

Twitter effect
TwitStat can be used to send tweets, direct messages and follow/unfollow other Twitter users.
TwitStat is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
30th place in the most used twitter clients list, according to “TwitStat” – 3 twits

Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The TwitStat index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the TwitStat web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.

2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The TwitStat search page did not encode HTML entities in the “terms” form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: http://www.twitstat.com/m/index.php?mode=search&terms=xxx%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E
Screenshot:

Vendor response rate
The vulnerabilities were fixed 5 days after they have been reported. Moderate – 3 twits.

MoTB #24: Reflected XSS in TweeTube

What is TweeTube
“TweeTube was started in January 2009 after identifying a need for an easy way to share YouTube videos among your Twitter followers. We since grew to allow users to share different stuff like pictures, webcam recordings, website urls and much more to come.” (TweeTube about page)

Twitter effect
TweeTube can be used to send tweets by uploading new videos/photos, sending them via email, or posting comments on existing videos/photos.
TweeTube is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Not a very popular alternative to yfrog, twitpic and other Video or Photo sharing services – 0.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The TweeTube search page does not encode HTML entities in the “q” variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://www.tweetube.com/search?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #23: TwitterCounter/TwitterRemote Reflected XSS vulnerabilities

What is TwitterCounter
“Just as TwitterCounter could be described as Feedburner for Twitter you could say that TwitterRemote is like MyBlogLog for Twitter. ” (TwitterCounter about page)

Twitter effect
TwitterCounter can be used to send new tweets and reply to other Twitter users.
TwitterCounter is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
Over 830,000 unique visitors per month (According to Compete) – 4 twits

1) Vulnerability: Reflected Cross-Site Scripting in the Country page.
Status: Unpatched.
Details: The TwitterCounter country page does not encode HTML entities in the “timezone” variable, which can allow the injection of scripts.
The vulnerability was also submitted, and publicly disclosed by d3v1l.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://twittercounter.com/pages/country?time_zone=XXX%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

2) Vulnerability: Reflected Cross-Site Scripting in the iframe.php page.
Status: Unpatched.
Details: The TwitterRemote iframe.php page does not encode HTML entities in the query variables, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://twittercounter.com/remote/iframe.php?username_owner=xxx&users_id=3351429&nr_show=6&hr_color=cccccc&a_color=709cb2&bg_color=;color:expression(alert(‘xss’))
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #22: CSRF in StockTwits

What is StockTwits
“StockTwits is an open, community-powered idea and information service for investments. Users can eavesdrop on traders and investors, or contribute to the conversation and build their reputation as savvy market wizards. The service takes financial related data – using Twitter as the content production platform – and structures it by stock, user, reputation, etc.” (StockTwits about page)

Twitter affect
StockTwits can be used to send tweets and follow other Twitter users.
StockTwits is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
82nd place according to “The Museum of Modern Betas”. – 2 twit

Vulnerability: Cross-Site Request Forgery in the update JSON page.
Status: Patched.
Details: The StockTwits update JSON page did not use authenticity code in order to validate that the HTTP post is coming from the StockTwits web application.
Screenshots:

Vendor response rate
The vulnerability was fully fixed 22 hours after it has been reported. Excellent – 5 twits.

1 2 3 4 5 7