Social Media Security Podcast 16 – Diaspora News, FTC and Twitter, Twitter XSS, Facebook App Permissions

This is the 16th episode of the Social Media Security Podcast recorded July 2, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Social Media Security Podcast 15 – Current Facebook Security Issues, New Privacy Tools, Likejacking, Formspring, Social Media at Work

This is the 15th episode of the Social Media Security Podcast recorded June 11th, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Social Media Security Podcast 14 – Recent Facebook Hacks and Controversy, Diaspora, Swipely

This is the 14th episode of the Social Media Security Podcast recorded May 14th, 2010.  This episode was hosted by Tom Eston and Scott Wright.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes. Thanks for listening!

Social Media Security Podcast 2 – Month of Facebook Bugs, What is XSS, Canadian Privacy Ruling

skullThis is the second episode of the Social Media Security Podcast recorded September 25, 2009.  This episode was hosted by Scott Wright, Tom Eston and our new co-host Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • Introducing our new co-host, Kevin Johnson.  Kevin is a Senior Security Analyst for InGuardians and is also an instructor for the SANS Institute, teaching both SEC504: Hacker Techniques, Exploits, and Incident Handling and SEC542: Web App Penetration Testing and Ethical Hacking courses.
  • Tom talks about the Month of Facebook Bugs (created by a security researcher called “theharmonyguy”) why this is important and how many vulnerable applications have been exploited and fixed so far.  Here is the list of top Facebook applications that Tom mentioned in the podcast.
  • Kevin gives a great non-technical overview of a web application vulnerability called Cross-site Scripting (XSS). Many of the Facebook applications we found in the “month of Facebook bugs” were vulnerable to XSS.  Kevin describes what XSS is, how it works and how dangerous this vulnerability is to social networking applications like Facebook.
  • Scott talks about the recent ruling regarding the Canadian Federal Privacy Commissioner vs. Facebook.  This ruling in Canada has created wide reaching changes to privacy and the way applications function within Facebook.
  • Scott also included a brief interview with the Canadian Privacy Commissioner’s Office about this recent Facebook ruling.
  • Tom has updated his Facebook Privacy & Security Guide.  You can download the latest version here.

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

MoTB #10: CSRF+XSS vulnerabilities in Twitiq

What is Twitiq
“TwitIQ is an enhanced Twitter interface that provides insight into your Twitter stream and Twitter followers.” (Twitiq home page)

Twitter effect
Twitiq can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Twitiq is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
A new 3rd party service, which already gained 5K unique visitors per month (according to Compete)- 1 twit

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting in jsonp.php.
Status: Patched.
Details: The Twitiq jsonp.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Twitiq web application. Also, the jsonp.php did not encode HTML entities in the “jcb” variable.
Both vulnerabilities could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of it’s victims.
Proof of Concept: http://www.twitiq.com/jsonp.php?jcb=%3Cscript%3Ealert(“xss”)%3C%2Fscript%3E&action_jsonp=new_status&status=CSRF
Screenshots:

Vendor response rate
The vulnerabilities were fixed within 1 hour after they have been reported. Excellent – 5 twits.

MoTB #08: DOM Based XSS in Twitterfall

What is Twitterfall
“Twitterfall is a way of viewing the latest ‘tweets’ of upcoming trends and custom searches on the micro-blogging site Twitter. Updates fall from the top of the page in near-realtime..” (Twitterfall home page)

Twitter affect
Twitterfall can be used to send tweets, replies or follow other twitter users.
Twitterfall is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
22nd place according to “The Museum of Modern Betas”. 18th place according to compete – 3.5 twits

Vulnerability: DOM Based Cross-Site Scripting in the main page.
Status: Patched.
Details: The Twitterfall main page did not encode HTML entities in the “trend” variable before evaluating it in JavaScript. This could allow the injection of scripts, which could have been used by an attacker to send tweets on behalf of its victims. The older site of Twitterfall (old.twitterfall.com) was also vulnerable to the same issue.
Proof-of-Concepts:
http://www.twitterfall.com/?trend=%3Cimg/src%3D”.”/onerror%3D”alert(‘xss’)”%3E
http://old.twitterfall.com/?trend=%3Cscript%3Ealert(“XSS”)=%3C/script%3E
Screenshots:

Vendor response rate
The vulnerabilities were fixed 3 hours after they were reported. Excellent – 5 twits.