Saturday, August 1, 2009

MoTB #31: Twitter Integrated Search Reflected XSS

What is Twitter Search
"There is an undeniable need to search, filter, and otherwise interact with the volumes of news and information being transmitted to Twitter every second. Twitter Search helps you filter all the real-time information coursing through our service." (Twitter Search about page)


Twitter effect
Because Twitter Search is now integrated within Twitter, you can now actually preform any Twitter action in the book.


Popularity rate
Integrated search = All web users = 60% of all Twitter users - 5 twits



Vulnerability: Reflected Cross-Site in the Integrated Search feature.
Status: Patched.
Details: The Integrated search, as well as it's JSON search.html page, did not encode HTML entities, which could have allowed the injection of scripts.
The vulnerability was also submitted by Laurent Gaffie and Pierre Gardenat. The idea to look at the JSON search.html page came from Ryan Naraine.
This vulnerability could have been used by an attacker to take control of its victims Twitter accounts, as well as to create a massive Twitter worm.
Proof-of-Concepts:
http://twitter.com/home#search?q=%3Cimg%20src%3D%22.%22%20onerror%3Dalert%28%22xss%22%29%3E
http://integratedsearch.twitter.com/search.html?callback=%3Cscript%3Ealert(%22xss%22)%3C/script%3E&layout=none&locale=en&page=1&q=aslkjdlaskdjlaksjdlaksjdasd
Screenshot:



Vendor response rate
Twitter's responsiveness, especially of Alex Payne, was great throughout Month of Twitter Bugs. The vulnerabilities were fixed in less than 24 hours. If I could give them 6 twits, I would. Excellent - 5 twits.