xss – The Social Media Security Podcast

MoTB #10: CSRF+XSS vulnerabilities in Twitiq

Posted under Twitter on July 10th, 2009 by avivra

What is Twitiq
“TwitIQ is an enhanced Twitter interface that provides insight into your Twitter stream and Twitter followers.” (Twitiq home page)

Twitter effect
Twitiq can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Twitiq is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
A new 3rd party service, which already gained 5K unique visitors per month (according to Compete)- 1 twit

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting in jsonp.php.
Status: Patched.
Details: The Twitiq jsonp.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Twitiq web application. Also, the jsonp.php did not encode HTML entities in the “jcb” variable.
Both vulnerabilities could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of it’s victims.
Proof of Concept: http://www.twitiq.com/jsonp.php?jcb=%3Cscript%3Ealert(“xss”)%3C%2Fscript%3E&action_jsonp=new_status&status=CSRF
Screenshots:

Vendor response rate
The vulnerabilities were fixed within 1 hour after they have been reported. Excellent – 5 twits.

MoTB #08: DOM Based XSS in Twitterfall

Posted under Twitter on July 8th, 2009 by avivra

What is Twitterfall
“Twitterfall is a way of viewing the latest ‘tweets’ of upcoming trends and custom searches on the micro-blogging site Twitter. Updates fall from the top of the page in near-realtime..” (Twitterfall home page)

Twitter affect
Twitterfall can be used to send tweets, replies or follow other twitter users.
Twitterfall is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
22nd place according to “The Museum of Modern Betas”. 18th place according to compete – 3.5 twits

Vulnerability: DOM Based Cross-Site Scripting in the main page.
Status: Patched.
Details: The Twitterfall main page did not encode HTML entities in the “trend” variable before evaluating it in JavaScript. This could allow the injection of scripts, which could have been used by an attacker to send tweets on behalf of its victims. The older site of Twitterfall (old.twitterfall.com) was also vulnerable to the same issue.
Proof-of-Concepts:
http://www.twitterfall.com/?trend=%3Cimg/src%3D”.”/onerror%3D”alert(‘xss’)”%3E
http://old.twitterfall.com/?trend=%3Cscript%3Ealert(“XSS”)=%3C/script%3E
Screenshots:

Vendor response rate
The vulnerabilities were fixed 3 hours after they were reported. Excellent – 5 twits.