Twitter Cross Site (XSS) Vulnerability – Watch Out!

by Klaus on August 28, 2009

in Twitter

twitter_logoJames Slater, IT developer with a British firm that specializes in search engine optimization, has found a security vulnerability in the social network, Twitter.

The simple act of reading tweets online on could cause somebody to steal your login cookie and potentially get access to your Twitter account – or simply redirect you to a phishing site etc.

It works by inserting javascript code in the “API” field when adding tweets. All the 3rd party applications that you can use to tweet with, will have their name under the tweet, so instead of it saying “TweetDeck” there will be a piece of javascript code that could do a lot of stuff.

The javascript code could simply redirect you to to a phishing site, a malicious site, a porn site or any site in the world for that matter. It could also take your login cookie and forward it to a site which will then store it for later use. I’m unsure about how much they will be able to do with your login cookie, but they could probably get access to your Twitter account with it – but without knowing your actual password.

The code should also be able to delete all your twitter messages or send a message to all your followers.

James Slater already made Twitter aware of the problem, but so far Twitter apparently haven’t done anything else than to make sure it’s not possible to write a space in the “API field”. I doubt how effective that really is. He therefore urges you to only follow people who you know and not just because they follow you.

I actually also tried the cookie stealing myself once. I found a home-made forum which wasn’t so secure but still the most visited forum in that country in it’s niche.  I didn’t harm anybody of course, but I managed to steal my own login cookie and save it in a database on an external site, simply by adding re-written javascript into a forum post. It’s a matter of escaping the security checks and still be able to inject javascript. Of course I made the developers aware of the problem and I hope they fixed it, so let’s hope Twitter also fixes this one, once and for all.

In this video, James Slater demonstrates a bit about how it works:

Related articles you might find interesting:

Comments & Leave a Comment


{ 6 comments… read them below or add one }


Leave a Comment

CommentLuv badge

Previous post:

Next post: