Saturday, August 1, 2009

MoTB #31: Twitter Integrated Search Reflected XSS

What is Twitter Search
"There is an undeniable need to search, filter, and otherwise interact with the volumes of news and information being transmitted to Twitter every second. Twitter Search helps you filter all the real-time information coursing through our service." (Twitter Search about page)


Twitter effect
Because Twitter Search is now integrated within Twitter, you can now actually preform any Twitter action in the book.


Popularity rate
Integrated search = All web users = 60% of all Twitter users - 5 twits



Vulnerability: Reflected Cross-Site in the Integrated Search feature.
Status: Patched.
Details: The Integrated search, as well as it's JSON search.html page, did not encode HTML entities, which could have allowed the injection of scripts.
The vulnerability was also submitted by Laurent Gaffie and Pierre Gardenat. The idea to look at the JSON search.html page came from Ryan Naraine.
This vulnerability could have been used by an attacker to take control of its victims Twitter accounts, as well as to create a massive Twitter worm.
Proof-of-Concepts:
http://twitter.com/home#search?q=%3Cimg%20src%3D%22.%22%20onerror%3Dalert%28%22xss%22%29%3E
http://integratedsearch.twitter.com/search.html?callback=%3Cscript%3Ealert(%22xss%22)%3C/script%3E&layout=none&locale=en&page=1&q=aslkjdlaskdjlaksjdlaksjdasd
Screenshot:



Vendor response rate
Twitter's responsiveness, especially of Alex Payne, was great throughout Month of Twitter Bugs. The vulnerabilities were fixed in less than 24 hours. If I could give them 6 twits, I would. Excellent - 5 twits.

Friday, July 31, 2009

MoTB #30: TweetDeck Insecure Communication Vulnerability

What is TweetDeck
"TweetDeck is your personal browser for staying in touch with what’s happening now, connecting you with your contacts across Twitter, Facebook and more. TweetDeck shows you everything you want to see at once, so you can stay organised and up to date." (TweetDeck about page)


Twitter effect
TweetDeck can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.
TweetDeck is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
The most popular Twitter clients. 2nd place in the most used twitter clients, with 25.6% usage in the past week - 5 twits


Vulnerability: Insecure communication vulnerability when displaying videos.
Status: Unpatched.
Details: TweetDeck does not use a secure communication when it displays videos inline (e.g. using Qik). An attacker who controls the victim's network (e.g. via public WiFi, compromised DNS servers, etc.) can tamper with the request to the video website and replace it with a rogue content (e.g. display a fake malicious update request).
This vulnerability can be used by an attacker to install malware on its victims machines.
Screenshot:



Vendor response rate
The vendor has confirmed this as a vulnerability. They are working with their partners (Qik and 12seconds) in order to replace the current HTTP connection with HTTPS. While the vendor have yet to fix the vulnerability, they were very responsive and have promised to release a patch as soon as their partners will implement SSL on their websites. Almost Good - 3.5 twits.

Wednesday, July 29, 2009

MoTB #29: Reflected XSS in chart.ly

What is chart.ly
"Share stock charts on Twitter" (chart.ly home page)


Twitter effect
chart.ly can be used to send tweets and follow other twitter users.
chart.ly is using OAuth authentication method in order to utilize the Twitter API.


Popularity rate
A not so popular alternative to StockTwits - 1 twit


Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The chart.ly search page does not encode HTML entities in the "q" variable, which can allow the injection of scripts.
This vulnerability can used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://chart.ly/search?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E


Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.

MoTB #28: Reflected XSS vulnerability in tweetburner

What is tweetburner
"Tracking the links that you share on Twitter" (tweetburner home page)


Twitter effect
tweetburner can be used to send tweets with the shortened URLs through a form on their website.
tweetburner is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
Yet another Twitter shortening service. Not as popular as others in this market - 2 twits


Vulnerability: Reflected Cross-Site in the shortened URL creation page.
Status: Unpatched.
Details: The tweetburner shortened URL creation page does not encode HTML entities in the "url" variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweetburner.com/links/create?url=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:



Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.

Monday, July 27, 2009

MoTB #27: Reflected XSS in Posterous

What is Posterous
"We love sharing thoughts, photos, audio, and files with our friends and family, but we didn't like how hard it was... so we made a better way. That's posterous. " (Posterous about page)


Twitter effect
Posterous can be used to send tweets by sending posts via email, or posting comments on existing posts.
Posterous is using OAuth authentication method in order to utilize the Twitter API.


Popularity rate
25th place in the most used twitter clients list, accordint to "TwitStat" - 3.5 twits



Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The Posterous search page did not encode HTML entities in the "search" variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concepts: http://avivra.posterous.com/?sort=bestmatch&search=testing%22%3E%3Cscript%3Ealert%28%22xss%22%29%3B%3C%2Fscript%3E
http://posterous.com/explore/?search=xxx%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E
Screenshots:




Vendor response rate
The vulnerability was fixed 12 hours after it has been reported. Excellent - 5 twits.

Sunday, July 26, 2009

MoTB #26: Reflected XSS in Tweeple Pages

What is Tweeple Pages
"Tweeple Pages is a user powered directory of Twitter users organized by their interests. Simply allow the Tweeple Pages application access and you can start discovering other users with similar interests as you!" (Tweeple Pages about page)


Twitter effect
Tweeple Pages can be used to follow and unfollow other twitter users.TweeTube is using OAuth authentication method in order to utilize the Twitter API.


Popularity rate
Not a very popular alternative to twellow, wefollow, and other Twitter categorization services - 0.5 twits



Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The Tweeple Pages search page does not encode HTML entities in the "q" variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweeplepages.com/search.php?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:



Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.

Saturday, July 25, 2009

MoTB #25: CSRF+XSS vulnerabilities in TwitStat

What is TwitStat
TwitStat provides a mobile web interface for Twitter.


Twitter effect
TwitStat can be used to send tweets, direct messages and follow/unfollow other Twitter users.
TwitStat is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
30th place in the most used twitter clients list, according to “TwitStat” - 3 twits


Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The TwitStat index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the TwitStat web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.

2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The TwitStat search page did not encode HTML entities in the "terms" form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: http://www.twitstat.com/m/index.php?mode=search&terms=xxx%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E
Screenshot:



Vendor response rate
The vulnerabilities were fixed 5 days after they have been reported. Moderate - 3 twits.