Advertisement


Advertisement

Thread Rating:
  • 7 Vote(s) - 3.43 Average
  • 1
  • 2
  • 3
  • 4
  • 5
New Dangerous Twitter XSS Vulnerability Identified
#1
Advertisement
<img style="float:right; margin: 0px 0px 0px 10px;" src="http://i1-news.softpedia-static.com/images/news2/New-Dangerous-Twitter-XSS-Vulnerability-Identified-2.jpg"/>A new cross-site scripting (XSS) weakness identified on Twitter and can be leveraged by attackers to hijack users' sessions and post on their behalf.

According to a report from the XSSed Project, the vulnerability is located in the search script on dev.twitter.com and was discovered by a researcher calling himself "cbr".

"This non-persistent Twitter XSS was submitted by 'cbr' on July 29, 2010 and has not been corrected since then," Dimitris Pagkalos, co-founder of the XSSed Project, writes.

Following the disclosure, security researcher Mike Bailey has quickly put together a proof-of-concept exploit which forces a logged in Twitter user to post a rogue message from their account when visiting a maliciously crafted Web page.

The attack leverages the flaw to hijack the victim's session cookie and use it to post a tweet on their behalf, but the researcher notes that other malicious actions could also be performed.

"While I'm not collecting any data other than session cookies, and I'm discarding them once I post a tweet from your account, I could do much more," the researcher writes.

Bailey's example requires a button to be clicked in order to trigger the exploit, but this is not necessary and the same result could be achieved transparently.

This means that the flaw, which at the time of writing this article is still unpatched, could be used to create a malicious XSS worm, that would rapidly spread across the micro-blogging website.

"I wrote this proof of concept in less than 10 minutes. These things are ridiculously easy to attack," Bailey points out.

Cross-site scripting vulnerabilities stem from a failure to properly validate user input into forms and allows attackers to force websites into serving unauthorized code to visitors.

This is actually the fourth serious XSS bug discovered on Twitter this summer, despite the website having confronted similar problems in the past and undergoing repeated scrutiny.


Client-side protection against XSS is available in several browsers. Internet Explorer and Google Chrome come with their own internal filters, while Firefox has the popular NoScript extension.

Reply
Thanks given by:
Advertisement
Advertisement




Possibly Related Threads...
Thread Author Replies Views Last Post
  General News: Twitter for Android brings bottom navigation bar, kills swiping between tabs nairrk 0 411 07-14-2018, 12:46 PM
Last Post: nairrk
  General News: Twitter launches the first ever IIFA Emoji nairrk 0 380 06-22-2018, 06:33 PM
Last Post: nairrk
  General News: Thousands of mobile apps found to have a critical vulnerability in their Firebase.. nairrk 0 442 06-22-2018, 11:16 AM
Last Post: nairrk
  General News: Twitter adds new features to web and Windows app, killing some other apps nairrk 0 413 05-23-2018, 07:27 PM
Last Post: nairrk
  General News: Twitter introduces new feature to push more news links nairrk 0 427 04-30-2018, 07:18 AM
Last Post: nairrk
  General News: Twitter releases new emoji for Tamil, Malayalam new year Puthandu, Vishu nairrk 0 561 04-13-2018, 07:02 PM
Last Post: nairrk
  General News: Twitter introduces Timestamps feature nairrk 0 554 03-30-2018, 06:55 PM
Last Post: nairrk
  General News: New Twitter feature to help users save tweets for later nairrk 0 574 11-24-2017, 01:51 PM
Last Post: nairrk
  General News: This Chrome extension lets you shorten Twitter’s 280-character limit to 140 nairrk 0 501 11-10-2017, 02:50 PM
Last Post: nairrk
  General News: Twitter rolls out 280-character limit to all users nairrk 0 491 11-08-2017, 01:44 PM
Last Post: nairrk

Forum Jump:


Users browsing this thread: 1 Guest(s)
Advertisement