MoTB #11: Twitturly Persistent XSS

What is Twitturly
“Twitturly tracks the URLs flying around the Twitterverse and provides a quick, real-time view of what people are talking about on Twitter.” (Twitturly about page)

Twitter effect
Twitturly can be used to send tweets to other Twitter users.
Twitturly is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
19th place in the Top 100 Twitter services of The Museum of Modern Betas Labs – 4 twits

Vulnerability: Persistent Cross-Site in Twitturly URLs view page.
Status: Patched.
Details: Twitturly did not encode HTML entities in the un-shortened URLs it displays, which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Screenshot:

Vendor response rate
The vulnerability was fixed 2 hours after it has been reported. Excellent – 5 twits.

MoTB #10: CSRF+XSS vulnerabilities in Twitiq

What is Twitiq
“TwitIQ is an enhanced Twitter interface that provides insight into your Twitter stream and Twitter followers.” (Twitiq home page)

Twitter effect
Twitiq can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Twitiq is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
A new 3rd party service, which already gained 5K unique visitors per month (according to Compete)- 1 twit

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting in jsonp.php.
Status: Patched.
Details: The Twitiq jsonp.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Twitiq web application. Also, the jsonp.php did not encode HTML entities in the “jcb” variable.
Both vulnerabilities could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of it’s victims.
Proof of Concept: http://www.twitiq.com/jsonp.php?jcb=%3Cscript%3Ealert(“xss”)%3C%2Fscript%3E&action_jsonp=new_status&status=CSRF
Screenshots:

Vendor response rate
The vulnerabilities were fixed within 1 hour after they have been reported. Excellent – 5 twits.

Understanding Koobface and other "Drive-By Download" type threats

Koobface is a classic “Drive-by Download” type of threat, which can be a difficult thing for anti-virus programs to deal with. The catch is that you’re being fooled into giving a program explicit permission to run. Should an anti-virus program second-guess that decision? Good question.
Read More »

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

If you’d like to know what a Honey Stick is, and why it’s important to understand what they are telling us, click HERE.

Scott Wright
The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

Site Meter

MoTB #09: Reflected POST XSS vulnerability in Twellow

What is Twellow
“From our home at Twellow headquarters, we’re actively searching and categorizing millions of inter-personal exchanges available on the internet every day. Twellow.com is thereby able to assist you in finding real people who really matter. We’re doing the hard work of sifting out people who can help bring your vision to reality, whatever that vision might be.” (Twellow about page)

Twitter effect
Twellow can be used to follow and unfollow other twitter users.
Twellow is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Indexing 6.2 million Twitter profiles, with over 175K unique visitors per month (according to Compete) – 4 twits

Vulnerability: Reflected POST Cross-Site Scripting in the Contact page.
Status: Patched.
Details: Twellow does not encode HTML entities in the form fields of the Contact page, which can allow the injection of scripts by submitting a rouge HTML form to the page.
This vulnerability could have allowed an attacker to automatically follow or unfollow other twitter users on behalf of its victims.
Screenshots:

Vendor response rate
The vulnerabilities were fixed 1 day after they were reported, although it took them 4 days to response to the initial email. Good – 4 twits.

MoTB #08: DOM Based XSS in Twitterfall

What is Twitterfall
“Twitterfall is a way of viewing the latest ‘tweets’ of upcoming trends and custom searches on the micro-blogging site Twitter. Updates fall from the top of the page in near-realtime..” (Twitterfall home page)

Twitter affect
Twitterfall can be used to send tweets, replies or follow other twitter users.
Twitterfall is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
22nd place according to “The Museum of Modern Betas”. 18th place according to compete – 3.5 twits

Vulnerability: DOM Based Cross-Site Scripting in the main page.
Status: Patched.
Details: The Twitterfall main page did not encode HTML entities in the “trend” variable before evaluating it in JavaScript. This could allow the injection of scripts, which could have been used by an attacker to send tweets on behalf of its victims. The older site of Twitterfall (old.twitterfall.com) was also vulnerable to the same issue.
Proof-of-Concepts:
http://www.twitterfall.com/?trend=%3Cimg/src%3D”.”/onerror%3D”alert(‘xss’)”%3E
http://old.twitterfall.com/?trend=%3Cscript%3Ealert(“XSS”)=%3C/script%3E
Screenshots:

Vendor response rate
The vulnerabilities were fixed 3 hours after they were reported. Excellent – 5 twits.

Work from home schemes exploit Twitter users’ impulsive need to get rich quick

http://www.v3.co.uk/v3/news/2245583/twitter-users-warned-job-scams

It seems like common sense that most people realize “get rich quick” schemes aren’t worth pursuing. However, just like in the height of the Tech Boom of the late ’90’s it seems that people are rationalizing that “things are different” when it comes to Twitter.

Certainly there are some new ways to market products using Twitter, and the fact that Twitter updates can only be 140 characters begs the question “How hard can it be?”

So, it’s not much of a surprise that “get rich quick” scams will find ways to trick people into either giving up personal information, or paying up front for tips on how to make a fortune while lying in bed in your pajamas. But people want to believe it’s still possible to have good fortune, if only they can get the timing right.

Indeed, new trends are emerging so quickly, it might be tempting to feel that you can “get in on the ground floor” of a new business model. But Twitter is a double-edged sword in that it allows attackers to create compelling headlines and hide their malicous intent and websites in shortened links that many people will click on without considering the risks.

Twitter can be used as a way to quickly reach hundred or thousands of followers. But as with any scheme that sounds too good to be true… Twitter-based opportunities deserve just as much scepticism as any other.

 

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

MoTB #07: Reflected XSS vulns in yfrog

What is yfrog
“yfrog is a service run by ImageShack that lets you share your photos on and videos on Twitter.” (yfrog FAQ page)

Twitter affect
yfrog can be used to send tweets by uploading new photos, or posting comments on existing photos.
yfrog is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
A competitor to TwitPic in the Twitter photo sharing market. Owned and operated by the popular ImageShack photo sharing service provider – 4 twits

Vulnerability: Reflected Cross-Site Scripting in the Upload and Search pages.
Status: Patched.
Details: The yfrog picture upload page does not encode HTML entities in the “url” variable, which can allow the injection of scripts. Similar vulnerability exists in the “s” variable of the yfrog Search page.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Proof-of-Concepts:
http://yfrog.com/?url=xxx”>%3Cscript%3Ealert%28″xss”%29%3C%2Fscript%3E
http://yfrog.com/search.php?s=%3Cscript%3Ealert%28/xss/%29%3C%2Fscript%3E
Screenshots:

Vendor response rate
The vulnerabilities were fixed 3 hours after they were reported. Excellent – 5 twits.

MoTB #06: Multiple vulnerabilities in TwitPic

What is TwitPic
“TwitPic lets you share photos on Twitter.” (TwitPic home page)

Twitter affect
TwitPic can be used to send tweets by uploading new photos, sending them via email, or posting comments on existing photos.
TwitPic is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Most popular Twitter photo sharing service. Most visited Twitter 3rd party website, according to Compete – 5 twits

Vulnerabilities
1) Cross-Site Request Forgery in the Email PIN Settings page.
Status: Patched.
Details: This vulnerability was reported by dblackshell. See dblackshell’s advisory for more details: http://insanesecurity.info/blog/twitpic-modern-twitter-backdoor

Few days before “Month of Twitter Bugs” has started, attackers found Britney Spears’ TwitPic email PIN number by using a brute force attack (which was also fixed by TwitPic).
Instead, they could have easily used this CSRF vulnerability in order to tweet the fake death announcement.

2) Cross-Site Request Forgery in the comments form.
Status: Patched
Details: The comments form on each TwitPic picture web page did not use authenticity code in order to validate that the HTTP request POST is coming from the TwitPic web application.
This could have been used by an attacker to send comments on behalf of its victims, which could have also tweet the comments in Twitter.

3) Persistent Cross-Site Scripting in the TwitPic profile page.
Status: Patched.
Details: This vulnerability was first reported to TwitPic on May 18th 2009, and posted on my blog.
TwitPic did not encode HTML entities in the information it imported from the Twitter profile, and displayed in the TwitPic profile.
Screenshot:

Vendor response rate
It took TwitPic only an hour to fix the vulnerabilities. Excellent – 5 twits.

In conclusion
TwitPic has a large user base, and I’m happy that they are taking security very seriously. They also take the blame when needed. I’ll keep using TwitPic as my main Twitter photo sharing service.

1 23 24 25 26 27 29