Mon, 04/13/2009 - 18:58

Twitter gets pwned by XSS exploit

I guess that’s not what they intended when they coined the term „viral marketing“. Just one day after I have reactivated my Twitter account, their website was hit by an attack exploiting a cross-site scripting (XSS) vulnerability in the „Bio“ section of user profiles.

From what I could get out of the coverage by mashable and Damon Cortesi, the attacker successfully injected a piece of JavaScript code that would hijack the session of any user viewing an infected profile. It then used the hijacked session to publish a promotional message for a website called „StalkDaily.com“ before inserting itself into the newly infected user’s profile. Now anyone who would take a peek at the infected user’s Bio with a JavaScript-enabled browser would in turn also get infected.

What strikes me as surprising is that such a serious vulnerability (forgetting to escape user-generated field contents upon display is really, really nasty) has gone unnoticed for so long, especially since the nature of an exploit for this type of vulnerability is fairly trivial.

Since there no way for a web browser to distinguish injected code from code that actually belongs to the trusted site, I’ll take this as a warning shot and as a stong incentive to enable JavaScript on a site-by-site basis only.

Comments

Thomas (not verified), Mon, 04/13/2009 - 21:35

Weeeeell, Twitter isn't

Weeeeell, Twitter isn't famous for their technical exellence. But it's all going to change now, because they are finally porting it over to scala. #rubybashingftw

But seriously, twitter's programming seems to be really sloppy. I don't know what they're doing, but I guess they just don't have enough money (see http://en.wikipedia.org/wiki/None) for paying serious codemonkeys.

Ingomar Wesp, Mon, 04/13/2009 - 22:19

Re: Weeeeell, Twitter isn't

Weeeeell, Twitter isn't famous for their technical exellence.

After reading a bit on Twitter’s history of problems at Wikipedia, this became apparent to me, too.

[…] I guess they just don't have enough money […]

Although I really don’t know how exactly this economy is supposed to work, the Wikipedia article sure sounds like they are stuffed with a few millions of venture capital. One would think this should be sufficient to pay for a thorough security check.

Thomas (not verified), Mon, 04/13/2009 - 23:00

Yeah I know they've loads of

Yeah I know they've loads of venture capital, but I'm sure they already spent it all on fancy cars and other expensive chick magnets.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
3 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.