MoTB #18: Persistent XSS vulnerability in tr.im

What is tr.im
“tr.im is an established URL shortening service that prepares great-looking short URLs for services like Twitter. If you send URLs out on Twitter, tr.im is not only the best name, it is one of the shortest.” (tr.im about page)

Twitter effect
tr.im can be used to send tweets with the shortened URLs through a form on their website.
tr.im is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
Yet another Twitter shortening service. Not as popular as others in this market – 2 twits

Vulnerability: Persistent Cross-Site in tr.im Referrer statistics page.
Status: Unpatched.
Details: tr.im does not encode HTML entities of the referrer URLs
which can be easily manipulated by attackers, and can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
This vulnerability was submitted by Mike Bailey.
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #17: Persistent XSS vulnerability in mobypicture

What is mobypicture
“Directly share your photos, text, audio and videos with all your friends on your favorite social sites: facebook, twitter, flickr, vimeo, and more!” (mobypicture home page)

Twitter effect
mobypicture can be used to send tweets by uploading new photos, or posting comments on existing photos.
mobypicture is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Yet another Twitter photo sharing service. 27th place in the most used twitter clients, according to “TwitStats” – 3 twits

Vulnerability: Persistent Cross-Site in mobypicture picture view page.
Status: Patched.
Details: mobypicture did not encode HTML entities of the uploaded picture details (title, description, etc.), which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Screenshot:

Vendor response rate
The vulnerability was fixed 2 hours after it has been reported. Excellent – 5 twits.

MoTB #16: HelloTxt Persistent XSS

What is HelloTxt
“HelloTxt lets you update your status and read your friends’ status across all main microblogging and social networks all at once.” (HelloTxt about page)

Twitter effect
HelloTxt can be used to send tweets to other Twitter users.
HelloTxt is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
16th place in the Top 100 Twitter services of The Museum of Modern Betas Labs – 4 twits

Vulnerability: Persistent Cross-Site in HelloTxt profile page.
Status: Patched.
Details: HelloTxt did not encode HTML entities in the username information updated by the user, which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Screenshot:

Vendor response rate
The vulnerability was fixed 3 days after it has been reported. Moderate – 3 twits.

MoTB Halftime Statistics Report

I’ve decided to gather and publish some statistics for the first 15 days of “Month of Twitter Bugs”.
There were 35 vulnerabilities disclosed for 15 different Twitter 3rd-party services.
12 of the 35 vulnerabilities were 0days (11 of them disclosed in the blog comments), which means there was no patch available at the time they were disclosed.
7 of those 0day vulnerabilities are still unpatched!
The average fix time for a vendor (not including bit.ly) is 18 hours.
The following pie chart shows the types of vulnerabilities found in MoTB.

As a bonus for the “Halftime statistics report”, I would like to present a bug that was submitted by Laurent Gaffie: Twitter Search Web Server Information Leakage.
The Twitter search server did not block access to the “.htaccess” file, which revealed the configuration of the Twitter search web server, including a block list of IPs (spammers?).
Status: Fixed.
Screenshot:

While this bug is nothing compared to the recent Twitter servers/employees hack disclosure, it still shows that Twitter needs to hire a security engineer, and fast!

MoTB #15: CSRF+XSS vulnerabilities in Slandr

What is Slandr
“Slandr delivers an enhanced mobile site for twitter, with: replies, direct messaging, etc..” (Slandr about page)

Twitter effect
Slandr can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Slandr is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
27th place in the most used twitter clients, according to “TwitStats” – 3 twits

Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The Slandr index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Slandr web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.

2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The Slandr search page did not encode HTML entities in the “search” form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: http://tweetmeme.com/search.php?for=%3C/title%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E%3Ctitle%3E
Screenshot:

Vendor response rate
The vendor have published a blog post about these vulnerabilities.
The vulnerabilities were fixed 2 days after they have been reported. Good – 4 twits.

MoTB #14: Reflected XSS in TweetMeme

What is TweetMeme
“TweetMeme is a service which aggregates all the popular links on twitter to determine which links are popular. TweetMeme is able to categorize these links into categories and subcategories, making it easy to filter out the noise to find what your interested in.” (TweetMeme about page)

Twitter effect
TweetMeme can be used to send new tweets and reply to other Twitter users.
TweetMeme is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
6.5 Million unique visitors per month (According to Compete) – 4.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The TweetMeme search page did not encode HTML entities in the “for” variable, which could have allowed the injection of scripts.
The vulnerability was also submitted, and publicly disclosed by d3v1l.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweetmeme.com/search.php?for=%3C/title%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E%3Ctitle%3E
Screenshot:

Vendor response rate
Vulnerability was fixed 2 hours after it has been reported. Excellent – 5 twits.

MoTB #13: Reflected XSS in Brightkite

What is Brightkite
“Brightkite is a location-based social network. In real time you can see where your friends are and what they’re up to. Depending on your privacy settings you can also meet others nearby.” (Brightkite home page)

Twitter effect
Brightkite can be used to send new tweets and reply to other Twitter users.
Brightkite is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
16th place in the most used twitter clients, according to “TwitStats” – 4 twits

Vulnerability: Reflected Cross-Site in the “Person not found” page.
Status: Patched.
Details: The Brightkite “Person not found” page did not encode HTML entities in the people query variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://brightkite.com/people/zxxx%22%3E%3Cbody%20onload=%22alert(%27xss%27)%22%3E
Screenshot:

Vendor response rate
Vulnerability was fixed 1 hour after it has been reported. Excellent – 5 twits.

MoTB #12: Reflected XSS in TweetGrid

What is TweetGrid
“TweetGrid is a powerful Twitter Search Dashboard that allows you to search for up to 9 different topics, events, converstations, hashtags, phrases, people, groups, etc in real-time. As new tweets are created, they are automatically updated in the grid. No need to refresh the page!” (TweetGrid FAQ page)

Twitter effect
TweetGrid can be used to send new tweets and reply to other Twitter users.
TweetGrid is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
28th place in the Top 100 Twitter Services, according to “The Museum of Modern Betas” – 3.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The TweetGrid search page did not encode HTML entities in the “q” variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweetgrid.com/search?q=xxx%3C%2Ftitle%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E
Screenshot:

Vendor response rate
Vulnerability was fixed 1 hour after it has been reported. Excellent – 5 twits.

1 22 23 24 25 26 29