What is TweetGrid
“TweetGrid is a powerful Twitter Search Dashboard that allows you to search for up to 9 different topics, events, converstations, hashtags, phrases, people, groups, etc in real-time. As new tweets are created, they are automatically updated in the grid. No need to refresh the page!” (TweetGrid FAQ page)
TweetGrid can be used to send new tweets and reply to other Twitter users.
TweetGrid is using Username/Password authentication in order to utilize the Twitter API.
28th place in the Top 100 Twitter Services, according to “The Museum of Modern Betas” – 3.5 twits
Vulnerability: Reflected Cross-Site in the Search page.
Details: The TweetGrid search page did not encode HTML entities in the “q” variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Vendor response rate
Vulnerability was fixed 1 hour after it has been reported. Excellent – 5 twits.
What is Twitiq
“TwitIQ is an enhanced Twitter interface that provides insight into your Twitter stream and Twitter followers.” (Twitiq home page)
Twitiq can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Twitiq is using Username/Password authentication in order to utilize the Twitter API.
A new 3rd party service, which already gained 5K unique visitors per month (according to Compete)- 1 twit
Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting in jsonp.php.
Details: The Twitiq jsonp.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Twitiq web application. Also, the jsonp.php did not encode HTML entities in the “jcb” variable.
Both vulnerabilities could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of it’s victims.
Proof of Concept: http://www.twitiq.com/jsonp.php?jcb=%3Cscript%3Ealert(“xss”)%3C%2Fscript%3E&action_jsonp=new_status&status=CSRF
Vendor response rate
The vulnerabilities were fixed within 1 hour after they have been reported. Excellent – 5 twits.
Koobface is a classic “Drive-by Download” type of threat, which can be a difficult thing for anti-virus programs to deal with. The catch is that you’re being fooled into giving a program explicit permission to run. Should an anti-virus program second-guess that decision? Good question.
Read More »
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
If you’d like to know what a Honey Stick is, and why it’s important to understand what they are telling us, click HERE.
The Streetwise Security Coach
Join the Streetwise Security Zone at:
Twitter ID: http://www.twitter.com/streetsec
What is TwitPic
“TwitPic lets you share photos on Twitter.” (TwitPic home page)
TwitPic can be used to send tweets by uploading new photos, sending them via email, or posting comments on existing photos.
TwitPic is using Username/Password authentication in order to utilize the Twitter API.
Most popular Twitter photo sharing service. Most visited Twitter 3rd party website, according to Compete – 5 twits
1) Cross-Site Request Forgery in the Email PIN Settings page.
Details: This vulnerability was reported by dblackshell. See dblackshell’s advisory for more details: http://insanesecurity.info/blog/twitpic-modern-twitter-backdoor
Few days before “Month of Twitter Bugs” has started, attackers found Britney Spears’ TwitPic email PIN number by using a brute force attack (which was also fixed by TwitPic).
Instead, they could have easily used this CSRF vulnerability in order to tweet the fake death announcement.
2) Cross-Site Request Forgery in the comments form.
Details: The comments form on each TwitPic picture web page did not use authenticity code in order to validate that the HTTP request POST is coming from the TwitPic web application.
This could have been used by an attacker to send comments on behalf of its victims, which could have also tweet the comments in Twitter.
3) Persistent Cross-Site Scripting in the TwitPic profile page.
Details: This vulnerability was first reported to TwitPic on May 18th 2009, and posted on my blog.
TwitPic did not encode HTML entities in the information it imported from the Twitter profile, and displayed in the TwitPic profile.
Vendor response rate
It took TwitPic only an hour to fix the vulnerabilities. Excellent – 5 twits.
TwitPic has a large user base, and I’m happy that they are taking security very seriously. They also take the blame when needed. I’ll keep using TwitPic as my main Twitter photo sharing service.