Twitter developer platform search field vulnerable to XSS

Written by DP

Monday, 6 September 2010

*1st UPDATE* - Security researcher Mike Bailey (mckt) has produced a simple proof of concept which silently exploits this XSS. Basically, any Twitter user who clicks on the button will post a tweet reading 

"@mckt_ just compromised my Twitter account with XSS. #twitterXSS".

Use it at your own risk:

*2nd UPDATE* - As Stefan Tanase from Kaspersky Labs wrote in the news article "Τwitter XSS in the wild", cybercriminals - maybe of Brazilian origin - maliciously leveraged and exploited this Twitter XSS to steal user cookies and transfer them to two specific servers. According to short link statistics, they have managed in a very short time to compromise more than 100.000 Twitter accounts by urging users to click on their link with a short tweet that read in portoguese "Pe Lanza da banda Restart sofre acidente tragico"  (Pop band Restart suffering a tragic accident):

(Screenshot by Stefan Tanase of Kaspersky Labs)


(Screenshot by  Stefan Tanase of Kaspersky Labs)


Twitter has confirmed the vulnerability is fixed now...


This non-persistent Twitter XSS was submitted by "cbr" on July 29, 2010 and has not been corrected since then.""%253E%253C/iframe%253E [XSS Mirror]

During the summer period, another three possible XSS attacks on Twitter have been reported: persistent XSS vulnerability notified by d3v1l persistent XSS vulnerability notified by 0wn3d_5ys
and one by Billy (BK) Rios...

Important to mention that all were quickly fixed!

Screenshot #1:


Screenshot #2: 



"Just another persistent Twitter XSS" - DP - 19 Jul 2010
"Twitter XSS bug" - Billy (BK) Rios - 19 Jul 2010
"Persistent XSS vulnerability affecting Twitter promptly corrected" - DP - 27 Jun 2010

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.