Researcher demonstrates Twitter XSS vulnerability

Powered by SC Magazine
 

Vulnerability could allow an attacker to take over users' accounts.

A Twitter user has demonstrated a cross-site scripting (XSS) vulnerability on the microblogging platform that could allow an attacker to take over users' accounts or spread malware.

An Indonesian security researcher, using the alias “H4x0r-x0x” and Twitter handle “0wn3d_5ys,” discovered the vulnerability and demonstrated the bug using his own Twitter account.

In addition, the researcher on Monday announced details about the flaw on a blog.

The vulnerability affects the “application name” field on Twitter's application registration page, used by developers when setting up a new Twitter application.

The flaw appears to be the result of a lack of input validation of the “application name field” when accepting new requests for Twitter applications, Daniel Kennedy, partner at Praetorian Security Group, told SCMagazineUS.com on Thursday. The flaw could be exploited by cybercriminals to insert malicious JavaScript code into a Twitter page.

“I haven't seen it used by attackers yet, but obviously that can change,” Kennedy said.

Visiting the researcher's Twitter account causes a pair of XSS alert boxes, followed by a user's browser being manipulated. The demonstration of the flaw also causes an animation from the film “The Matrix” to appear, followed by messages from the researcher, one of which states, “My Twitter Owned By : H4x0r-x0x..”

“Infection [account takeover] can be accomplished simply by visiting a profile with an include of a malicious JavaScript, making a true self propagating website worm possible,” according to a post on Praetorian Prefect.

A Twitter spokesperson told SCMagazineUS.com on Thursday that the company is aware of the issue and has fixed it for new applications, but is still working to patch it in all programs.

Last August, a separate but similar XSS bug affecting Twitter was discovered by software developer James Slater. In that case, Twitter's application programming interface (API), used by developers to create applications to post tweets, did not properly filter the URL of these programs. As a result, users could actually insert malicious JavaScript code, along with a URL.


See original article on scmagazineus.com

Copyright © SC Magazine, US edition


Researcher demonstrates Twitter XSS vulnerability
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 341

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 143

Vote