MoTB #21: Multiple vulnerabilities in

What is
“ is a simple and FREE service that makes updating your social networks a snap!” ( home page)

Twitter affect can be used to send tweets by sending them via their website, email, or SMS. is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
8th place in the most used twitter clients – 4.5 twits

1) Cross-Site Request Forgery in the SMS Phone No. Settings page.
Status: Patched.
Details: SMS phone number settings page did not use authenticity code in order to validate that the HTTP request POST is coming from the web application.
This could have been used by an attacker to send tweets on behalf of its victims, by simply sending an SMS to

2) Reflected Cross-Site Scripting in the “Ping This!” page.
Status: Patched.
Details: The “Ping This!” page did not encode HTML entities in the “link” variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.

Vendor response rate
The vulnerabilitles were fixed several hours after they have been reported. Excellent – 5 twits.

Share with your friends!
  • Facebook
  • Twitter
  • Google Plus
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Comments are closed.