MoTB #16: HelloTxt Persistent XSS
What is HelloTxt
"HelloTxt lets you update your status and read your friends' status across all main microblogging and social networks all at once." (HelloTxt about page)
Twitter effect
HelloTxt can be used to send tweets to other Twitter users.
HelloTxt is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
16th place in the Top 100 Twitter services of The Museum of Modern Betas Labs - 4 twits
Vulnerability: Persistent Cross-Site in HelloTxt profile page.
Status: Patched.
Details: HelloTxt did not encode HTML entities in the username information updated by the user, which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Screenshot:
Vendor response rate
The vulnerability was fixed 3 days after it has been reported. Moderate - 3 twits.
"HelloTxt lets you update your status and read your friends' status across all main microblogging and social networks all at once." (HelloTxt about page)
Twitter effect
HelloTxt can be used to send tweets to other Twitter users.
HelloTxt is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
16th place in the Top 100 Twitter services of The Museum of Modern Betas Labs - 4 twits
Vulnerability: Persistent Cross-Site in HelloTxt profile page.
Status: Patched.
Details: HelloTxt did not encode HTML entities in the username information updated by the user, which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Screenshot:
Vendor response rate
The vulnerability was fixed 3 days after it has been reported. Moderate - 3 twits.
1 Comments:
another XSS on login module,
check -> http://m.hellotxt.com
http://img21.imageshack.us/img21/4417/39200530.png
Post a Comment
<< Home