MoTB #08: DOM Based XSS in Twitterfall
What is Twitterfall
"Twitterfall is a way of viewing the latest 'tweets' of upcoming trends and custom searches on the micro-blogging site Twitter. Updates fall from the top of the page in near-realtime.." (Twitterfall home page)
Twitter affect
Twitterfall can be used to send tweets, replies or follow other twitter users.
Twitterfall is using OAuth authentication method in order to utilize the Twitter API.
Popularity rate
22nd place according to "The Museum of Modern Betas". 18th place according to compete - 3.5 twits
Vulnerability: DOM Based Cross-Site Scripting in the main page.
Status: Patched.
Details: The Twitterfall main page did not encode HTML entities in the "trend" variable before evaluating it in JavaScript. This could allow the injection of scripts, which could have been used by an attacker to send tweets on behalf of its victims. The older site of Twitterfall (old.twitterfall.com) was also vulnerable to the same issue.
Proof-of-Concepts:
http://www.twitterfall.com/?trend=%3Cimg/src%3D"."/onerror%3D"alert('xss')"%3E
http://old.twitterfall.com/?trend=%3Cscript%3Ealert("XSS")=%3C/script%3E
Screenshots:
Vendor response rate
The vulnerabilities were fixed 3 hours after they were reported. Excellent - 5 twits.
"Twitterfall is a way of viewing the latest 'tweets' of upcoming trends and custom searches on the micro-blogging site Twitter. Updates fall from the top of the page in near-realtime.." (Twitterfall home page)
Twitter affect
Twitterfall can be used to send tweets, replies or follow other twitter users.
Twitterfall is using OAuth authentication method in order to utilize the Twitter API.
Popularity rate
22nd place according to "The Museum of Modern Betas". 18th place according to compete - 3.5 twits
Vulnerability: DOM Based Cross-Site Scripting in the main page.
Status: Patched.
Details: The Twitterfall main page did not encode HTML entities in the "trend" variable before evaluating it in JavaScript. This could allow the injection of scripts, which could have been used by an attacker to send tweets on behalf of its victims. The older site of Twitterfall (old.twitterfall.com) was also vulnerable to the same issue.
Proof-of-Concepts:
http://www.twitterfall.com/?trend=%3Cimg/src%3D"."/onerror%3D"alert('xss')"%3E
http://old.twitterfall.com/?trend=%3Cscript%3Ealert("XSS")=%3C/script%3E
Screenshots:
Vendor response rate
The vulnerabilities were fixed 3 hours after they were reported. Excellent - 5 twits.
Labels: MoTB, Twitterfall, XSS