MoTB #09: Reflected POST XSS vulnerability in Twellow
What is Twellow
"From our home at Twellow headquarters, we're actively searching and categorizing millions of inter-personal exchanges available on the internet every day. Twellow.com is thereby able to assist you in finding real people who really matter. We're doing the hard work of sifting out people who can help bring your vision to reality, whatever that vision might be." (Twellow about page)
Twitter effect
Twellow can be used to follow and unfollow other twitter users.
Twellow is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
Indexing 6.2 million Twitter profiles, with over 175K unique visitors per month (according to Compete) - 4 twits
Vulnerability: Reflected POST Cross-Site Scripting in the Contact page.
Status: Patched.
Details: Twellow does not encode HTML entities in the form fields of the Contact page, which can allow the injection of scripts by submitting a rouge HTML form to the page.
This vulnerability could have allowed an attacker to automatically follow or unfollow other twitter users on behalf of its victims.
Screenshots:
Vendor response rate
The vulnerabilities were fixed 1 day after they were reported, although it took them 4 days to response to the initial email. Good - 4 twits.
"From our home at Twellow headquarters, we're actively searching and categorizing millions of inter-personal exchanges available on the internet every day. Twellow.com is thereby able to assist you in finding real people who really matter. We're doing the hard work of sifting out people who can help bring your vision to reality, whatever that vision might be." (Twellow about page)
Twitter effect
Twellow can be used to follow and unfollow other twitter users.
Twellow is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
Indexing 6.2 million Twitter profiles, with over 175K unique visitors per month (according to Compete) - 4 twits
Vulnerability: Reflected POST Cross-Site Scripting in the Contact page.
Status: Patched.
Details: Twellow does not encode HTML entities in the form fields of the Contact page, which can allow the injection of scripts by submitting a rouge HTML form to the page.
This vulnerability could have allowed an attacker to automatically follow or unfollow other twitter users on behalf of its victims.
Screenshots:
Vendor response rate
The vulnerabilities were fixed 1 day after they were reported, although it took them 4 days to response to the initial email. Good - 4 twits.
2 Comments:
and still vulnerable on user_add.php module
see:http://img44.imageshack.us/img44/1570/lolzeo.png
regards
The user_add.php vulnerability has been repaired. Thanks for pointing it out.
Matthew Daines
Twellow Lead Developer
Post a Comment
<< Home