Saturday, August 1, 2009
MoTB #31: Twitter Integrated Search Reflected XSS
What is Twitter Search
"There is an undeniable need to search, filter, and otherwise interact with the volumes of news and information being transmitted to Twitter every second. Twitter Search helps you filter all the real-time information coursing through our service." (Twitter Search about page)
Twitter effect
Because Twitter Search is now integrated within Twitter, you can now actually preform any Twitter action in the book.
Popularity rate
Integrated search = All web users = 60% of all Twitter users - 5 twits
Vulnerability: Reflected Cross-Site in the Integrated Search feature.
Status: Patched.
Details: The Integrated search, as well as it's JSON search.html page, did not encode HTML entities, which could have allowed the injection of scripts.
The vulnerability was also submitted by Laurent Gaffie and Pierre Gardenat. The idea to look at the JSON search.html page came from Ryan Naraine.
This vulnerability could have been used by an attacker to take control of its victims Twitter accounts, as well as to create a massive Twitter worm.
Proof-of-Concepts:
twitter.com/home#search?q=%3Cimg%20src%3D%22.%22%20onerror%3Dalert%28%22xss%22%29%3E
integratedsearch.twitter.com/search.html?callback=%3Cscript%3Ealert(%22xss%22)%3C/script%3E&layout=none&locale=en&page=1&q=aslkjdlaskdjlaksjdlaksjdasd
Screenshot:
Vendor response rate
Twitter's responsiveness, especially of Alex Payne, was great throughout Month of Twitter Bugs. The vulnerabilities were fixed in less than 24 hours. If I could give them 6 twits, I would. Excellent - 5 twits.
"There is an undeniable need to search, filter, and otherwise interact with the volumes of news and information being transmitted to Twitter every second. Twitter Search helps you filter all the real-time information coursing through our service." (Twitter Search about page)
Twitter effect
Because Twitter Search is now integrated within Twitter, you can now actually preform any Twitter action in the book.
Popularity rate
Integrated search = All web users = 60% of all Twitter users - 5 twits
Vulnerability: Reflected Cross-Site in the Integrated Search feature.
Status: Patched.
Details: The Integrated search, as well as it's JSON search.html page, did not encode HTML entities, which could have allowed the injection of scripts.
The vulnerability was also submitted by Laurent Gaffie and Pierre Gardenat. The idea to look at the JSON search.html page came from Ryan Naraine.
This vulnerability could have been used by an attacker to take control of its victims Twitter accounts, as well as to create a massive Twitter worm.
Proof-of-Concepts:
twitter.com/home#search?q=%3Cimg%20src%3D%22.%22%20onerror%3Dalert%28%22xss%22%29%3E
integratedsearch.twitter.com/search.html?callback=%3Cscript%3Ealert(%22xss%22)%3C/script%3E&layout=none&locale=en&page=1&q=aslkjdlaskdjlaksjdlaksjdasd
Screenshot:
Vendor response rate
Twitter's responsiveness, especially of Alex Payne, was great throughout Month of Twitter Bugs. The vulnerabilities were fixed in less than 24 hours. If I could give them 6 twits, I would. Excellent - 5 twits.
posted by avivra at 11:03 AM 0 Comments
Friday, July 31, 2009
MoTB #30: TweetDeck Insecure Communication Vulnerability
What is TweetDeck
"TweetDeck is your personal browser for staying in touch with what’s happening now, connecting you with your contacts across Twitter, Facebook and more. TweetDeck shows you everything you want to see at once, so you can stay organised and up to date." (TweetDeck about page)
Twitter effect
TweetDeck can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.
TweetDeck is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
The most popular Twitter clients. 2nd place in the most used twitter clients, with 25.6% usage in the past week - 5 twits
Vulnerability: Insecure communication vulnerability when displaying videos.
Status: Unpatched.
Details: TweetDeck does not use a secure communication when it displays videos inline (e.g. using Qik). An attacker who controls the victim's network (e.g. via public WiFi, compromised DNS servers, etc.) can tamper with the request to the video website and replace it with a rogue content (e.g. display a fake malicious update request).
This vulnerability can be used by an attacker to install malware on its victims machines.
Screenshot:
Vendor response rate
The vendor has confirmed this as a vulnerability. They are working with their partners (Qik and 12seconds) in order to replace the current HTTP connection with HTTPS. While the vendor have yet to fix the vulnerability, they were very responsive and have promised to release a patch as soon as their partners will implement SSL on their websites. Almost Good - 3.5 twits.
"TweetDeck is your personal browser for staying in touch with what’s happening now, connecting you with your contacts across Twitter, Facebook and more. TweetDeck shows you everything you want to see at once, so you can stay organised and up to date." (TweetDeck about page)
Twitter effect
TweetDeck can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.
TweetDeck is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
The most popular Twitter clients. 2nd place in the most used twitter clients, with 25.6% usage in the past week - 5 twits
Vulnerability: Insecure communication vulnerability when displaying videos.
Status: Unpatched.
Details: TweetDeck does not use a secure communication when it displays videos inline (e.g. using Qik). An attacker who controls the victim's network (e.g. via public WiFi, compromised DNS servers, etc.) can tamper with the request to the video website and replace it with a rogue content (e.g. display a fake malicious update request).
This vulnerability can be used by an attacker to install malware on its victims machines.
Screenshot:
Vendor response rate
The vendor has confirmed this as a vulnerability. They are working with their partners (Qik and 12seconds) in order to replace the current HTTP connection with HTTPS. While the vendor have yet to fix the vulnerability, they were very responsive and have promised to release a patch as soon as their partners will implement SSL on their websites. Almost Good - 3.5 twits.
posted by avivra at 6:23 PM 0 Comments
Wednesday, July 29, 2009
MoTB #29: Reflected XSS in chart.ly
What is chart.ly
"Share stock charts on Twitter" (chart.ly home page)
Twitter effect
chart.ly can be used to send tweets and follow other twitter users.
chart.ly is using OAuth authentication method in order to utilize the Twitter API.
Popularity rate
A not so popular alternative to StockTwits - 1 twit
Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The chart.ly search page does not encode HTML entities in the "q" variable, which can allow the injection of scripts.
This vulnerability can used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: chart.ly/search?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.
"Share stock charts on Twitter" (chart.ly home page)
Twitter effect
chart.ly can be used to send tweets and follow other twitter users.
chart.ly is using OAuth authentication method in order to utilize the Twitter API.
Popularity rate
A not so popular alternative to StockTwits - 1 twit
Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The chart.ly search page does not encode HTML entities in the "q" variable, which can allow the injection of scripts.
This vulnerability can used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: chart.ly/search?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.
posted by avivra at 5:45 PM 0 Comments
MoTB #28: Reflected XSS vulnerability in tweetburner
What is tweetburner
"Tracking the links that you share on Twitter" (tweetburner home page)
Twitter effect
tweetburner can be used to send tweets with the shortened URLs through a form on their website.
tweetburner is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
Yet another Twitter shortening service. Not as popular as others in this market - 2 twits
Vulnerability: Reflected Cross-Site in the shortened URL creation page.
Status: Unpatched.
Details: The tweetburner shortened URL creation page does not encode HTML entities in the "url" variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: tweetburner.com/links/create?url=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:
Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.
"Tracking the links that you share on Twitter" (tweetburner home page)
Twitter effect
tweetburner can be used to send tweets with the shortened URLs through a form on their website.
tweetburner is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
Yet another Twitter shortening service. Not as popular as others in this market - 2 twits
Vulnerability: Reflected Cross-Site in the shortened URL creation page.
Status: Unpatched.
Details: The tweetburner shortened URL creation page does not encode HTML entities in the "url" variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: tweetburner.com/links/create?url=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:
Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.
posted by avivra at 5:36 PM 2 Comments
Monday, July 27, 2009
MoTB #27: Reflected XSS in Posterous
What is Posterous
"We love sharing thoughts, photos, audio, and files with our friends and family, but we didn't like how hard it was... so we made a better way. That's posterous. " (Posterous about page)
Twitter effect
Posterous can be used to send tweets by sending posts via email, or posting comments on existing posts.
Posterous is using OAuth authentication method in order to utilize the Twitter API.
Popularity rate
25th place in the most used twitter clients list, accordint to "TwitStat" - 3.5 twits
Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The Posterous search page did not encode HTML entities in the "search" variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concepts: avivra.posterous.com/?sort=bestmatch&search=testing%22%3E%3Cscript%3Ealert%28%22xss%22%29%3B%3C%2Fscript%3E
posterous.com/explore/?search=xxx%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E
Screenshots:
Vendor response rate
The vulnerability was fixed 12 hours after it has been reported. Excellent - 5 twits.
"We love sharing thoughts, photos, audio, and files with our friends and family, but we didn't like how hard it was... so we made a better way. That's posterous. " (Posterous about page)
Twitter effect
Posterous can be used to send tweets by sending posts via email, or posting comments on existing posts.
Posterous is using OAuth authentication method in order to utilize the Twitter API.
Popularity rate
25th place in the most used twitter clients list, accordint to "TwitStat" - 3.5 twits
Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The Posterous search page did not encode HTML entities in the "search" variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concepts: avivra.posterous.com/?sort=bestmatch&search=testing%22%3E%3Cscript%3Ealert%28%22xss%22%29%3B%3C%2Fscript%3E
posterous.com/explore/?search=xxx%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E
Screenshots:
Vendor response rate
The vulnerability was fixed 12 hours after it has been reported. Excellent - 5 twits.
posted by avivra at 7:57 PM 1 Comments
Sunday, July 26, 2009
MoTB #26: Reflected XSS in Tweeple Pages
What is Tweeple Pages
"Tweeple Pages is a user powered directory of Twitter users organized by their interests. Simply allow the Tweeple Pages application access and you can start discovering other users with similar interests as you!" (Tweeple Pages about page)
Twitter effect
Tweeple Pages can be used to follow and unfollow other twitter users.TweeTube is using OAuth authentication method in order to utilize the Twitter API.
Popularity rate
Not a very popular alternative to twellow, wefollow, and other Twitter categorization services - 0.5 twits
Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The Tweeple Pages search page does not encode HTML entities in the "q" variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: tweeplepages.com/search.php?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:
Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.
"Tweeple Pages is a user powered directory of Twitter users organized by their interests. Simply allow the Tweeple Pages application access and you can start discovering other users with similar interests as you!" (Tweeple Pages about page)
Twitter effect
Tweeple Pages can be used to follow and unfollow other twitter users.TweeTube is using OAuth authentication method in order to utilize the Twitter API.
Popularity rate
Not a very popular alternative to twellow, wefollow, and other Twitter categorization services - 0.5 twits
Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The Tweeple Pages search page does not encode HTML entities in the "q" variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: tweeplepages.com/search.php?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:
Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.
posted by avivra at 9:09 PM 0 Comments
Saturday, July 25, 2009
MoTB #25: CSRF+XSS vulnerabilities in TwitStat
What is TwitStat
TwitStat provides a mobile web interface for Twitter.
Twitter effect
TwitStat can be used to send tweets, direct messages and follow/unfollow other Twitter users.
TwitStat is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
30th place in the most used twitter clients list, according to “TwitStat” - 3 twits
Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The TwitStat index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the TwitStat web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The TwitStat search page did not encode HTML entities in the "terms" form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: www.twitstat.com/m/index.php?mode=search&terms=xxx%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E
Screenshot:
Vendor response rate
The vulnerabilities were fixed 5 days after they have been reported. Moderate - 3 twits.
TwitStat provides a mobile web interface for Twitter.
Twitter effect
TwitStat can be used to send tweets, direct messages and follow/unfollow other Twitter users.
TwitStat is using Username/Password authentication in order to utilize the Twitter API.
Popularity rate
30th place in the most used twitter clients list, according to “TwitStat” - 3 twits
Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The TwitStat index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the TwitStat web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The TwitStat search page did not encode HTML entities in the "terms" form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: www.twitstat.com/m/index.php?mode=search&terms=xxx%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E
Screenshot:
Vendor response rate
The vulnerabilities were fixed 5 days after they have been reported. Moderate - 3 twits.
posted by avivra at 10:33 PM 0 Comments