Massive Twitter Cross-Site Scripting Vulnerability
[NOTE: As if the attention-grabbing title ruining the surprise for you wasn't bad enough, I've got some more bad news. We let Twitter (via Kevin Rose) know about this before it went live but we think somebody saw the Test ! . ]
So as I’m sure everyone heard about the other day, Twitter recently added rel=nofollow to links produced by their API (e.g. the client you used to send the tweet). I was playing around with some settings today and noticed something interesting.
If you change the link in the application settings, it affects all of the historical tweets generated by the application. So it’s pretty quick and easy to experiment with different URLs and see what happens. I wonder if it’s possible to get rid of that pesky nofollow attribute? Let’s see what happens if we change our ‘Application Website’…..
Surely that wouldn’t work? They must be doing some checks on the URL. Right?
Oh, no, wait. It works. A clean, followed link out of Twitter again. Isn’t that nice?
Actually, if they were that stupid… what’s to say I couldn’t drop some other content in there? Yup, that works too. Take a look for yourself. Do I hear anyone saying “cross-site scripting”?
If I was going to be mean, I could have made that JavaScript steal your login cookie and send it to us. Or maybe to someone else? Perhaps I could drop a few trending hashtags in there and see how many people look at my tweet. Or worse – why not use Twitter’s own handily-available API to, I dunno, post a few tweets?
Any Twitter application developers out there I wonder? Maybe I could be more subtle about it, just drop a script in there that goes to their application settings page and changes their URL to drop some malware links around the place. Let’s just hope that the developers of TweetDeck or TwitterFox don’t look at any of my tweets!
Edit: Twitter have suspended the @apifail account – no big surprise there. That does mean you can’t see the demonstration though: it would just pop up a JavaScript alert box whenever the tweet was viewed. Obviously if it could do that… the world is your oyster! We recorded a quick video of it in action if you didn’t see if for yourself, we’ll post it tomorrow.
seosnafu 893 days ago
http://seosnafu.blogspot.comO.M.F.G.
Tiger 892 days ago
http://www.seoblackout.comNice find
Aussiewebmaster 892 days ago
Interesting that I am finding this page from this http://ow.ly/2boYiY url – now what sort of canonical issues will that have?
Greg 892 days ago
http://blog.himselfprod.comGreat Job !
Continue in this way
DaveN 892 days ago
@Aussiewebmaster we will see won’t we
it should give me so decent data
Massive Twitter Cross-Site Scripting Vulnerability | Hack In The Box 892 days ago
[...] reading here: Massive Twitter Cross-Site Scripting Vulnerability Share and [...]
Kean 892 days ago
http://www.keanrichmond.comSurely some reward must be due. With great power comes great responsibility…. and freebies
Michael 892 days ago
http://www.miscellus.comI’m glad you alerted Twitter. That was a nice find.
John Adams 892 days ago
We have patched this issue as of a few hours ago.
–john
Twitter Operations
jgg 892 days ago
Once again, Twitter fails at security. They seem to be good at this.
Dan Allen 892 days ago
http://montpelierwebsites.comDavid, I understand this is a big deal, so I am trying to retrace your steps, in order to understand exactly how this works.
I am stuck at “If you change the link in the application settings”. How do I do that? I do not know what application you are referring to. Sorry to be the slow poke… just looking for a little more info so I see how this works and then evaluate for myself what it means.
Any information you can provide will be extremely much appreciated.
Thanks,
Dan
alex 892 days ago
http://www.alexanderdickson.comThat ApiFail twitter account has been closed now!
Suneel 892 days ago
http://teamnirvana.com/blogThat’s a ludicrous thing that Twitter guys do not have an eye on. How can Twitter developers be o nthe constant prowl without checking all these sort of things?
I think they need to be presented a book related to hacks on websites and ask them to block all those kind of attacks. Earlier it was a basic DDoS which they failed to obstruct and now SiteScripting and what next??Edit their API settings without letting them be aware of it!! Might be on the next to-do list of hackers.
Jatin 892 days ago
http://www.technogarage.blogspot.comNice find …keep it up dude!!
Aroxo 892 days ago
http://www.aroxo.co.ukFor some reason I thought RoR protected you from XSS as a default, but clearly not… School boy error from a developer here and a pretty poot lack of testing.
Carps 892 days ago
http://www.itsafamilything.co.ukGood to see that Twitter have graciously acknowledged this :/
Carps 892 days ago
http://www.itsafamilything.co.ukAlso (as I’m sure we might point out later) if this was really patched “as of a few hours ago” it’s amusing to see that we’ve still got a working demo of it on another ID
Jonathan Alderson 892 days ago
http://www.twentysixsearch.comWow, that’s rather stunning – who would have thought of even attempting cross site scripting on Twitter? One just assumes that they’ve some rudimentary validation in place…
Gareth Trufitt 892 days ago
http://trufitt.comWhat an oversight on Twitter’s part! Surely that is something they would check before they put it live… Although they don’t seem too up with security and spam, it really is getting over run with spam bots now.
Nice find
m0nk5y 892 days ago
http://m0nk5y.comGrate find! I do not think twitter invests a lot of time in to these issues. Thanks for sharing that one!
The Twitter Exploit That Could Have Stolen Your Info and Much, Much More « Internet Marketing KB 892 days ago
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
Gaucho SEO 892 days ago
http://www.gauchoseo.com.arthe account is suspended
Ben McKay 892 days ago
http://www.justmeandmy.com@Gauche SEO, the second API fail account is still live: http://twitter.com/apifail2
A tad worrying but surprised you shared Dave – lol! Cool find though
Massive Twitter Security Problem Not Resolved Just Yet 892 days ago
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Vulnerabilidad crítica en Twitter [ENG] 892 days ago
[...] Vulnerabilidad crítica en Twitter [ENG]www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-v… por sregueira hace pocos segundos [...]
Matthias 892 days ago
http://swisstweets.ch/I get a Javascript Alert if I search for ‘apifail’ in the Twitter search (right sidebar). Is it just me? Here’s a screenshot: http://twitpic.com/fbjfo
Matthias 892 days ago
http://swisstweets.ch/I get a Javascript Alert if I search for ‘apifail2′ in the Twitter search (right sidebar). Is it just me? Here’s a screenshot: http://twitpic.com/fbjfo
(sorry if this appears twice, just delete the other comment… WP is a bit annoying sometimes)
Massive Twitter Security Problem Not Resolved Just Yet | Anthonyrobinson.info 892 days ago
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Massive Twitter Security Problem Not Resolved Just Yet | Twimmer.com :: Twitter News 892 days ago
[...] Yesterday UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Ted Muller 892 days ago
Twitter’s IT department is by far the worst IT department I’ve seen in my entire life. The API is crap, Twitter doesn’t run stable and is not secure at all.
But actually, that’s really no surprise, considering that the company is headed by two guys (Ev and Biz) who don’t have the slightest idea of what computer science is.
Idea nice, execution bad. Replace the whole management by some educated computer scientists!
Massive Twitter Security Problem Not Resolved Just Yet | Family Learning Center 892 days ago
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Security Briefing – August 26th : Liquidmatrix Security Digest 892 days ago
[...] Massive Twitter Cross Site Scripting Vulnerability – David Naylor [...]
Your Twitter Account is in Jeopardy - News: Everything-e 892 days ago
[...] discovered the problem yesterday, and Twitter responded claiming to have fixed it, but Slater proved them wrong, and Twitter has yet [...]
mafutrct 892 days ago
http://mafutrct.wordpress.com/Nice find, thank you. I’m surprised a company as big as twitter fails at such basic stuff. Wait, scratch that.
Massive Twitter Security Problem Not Resolved Just Yet | Technology 892 days ago
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Daniel Aristizabal Romero (cronopio) 's status on Wednesday, 26-Aug-09 18:23:11 UTC - Identi.ca 892 days ago
[...] http://www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-vulnerability.html [...]
Live-Point Official Blog » Blog Archive » Massive Twitter Cross-Site Scripting Vulnerability 892 days ago
[...] Here is the original post: Massive Twitter Cross-Site Scripting Vulnerability [...]
Linkpost | 8.26.2009 - L&C Tech Talk 891 days ago
[...] • Twitter’s In Your Tweets Trackin’ Your Links – Temporarily, anyway. Tracking code was in Twitter’s links, and now it’s gone. The company has talked about offering stats services to businesses, and maybe this was a test. Also Massive Twitter Cross-Site Scripting Vulnerability [...]
Twitterの重大なセキュリティ問題がまだ未解決状態のままだ 891 days ago
[...] 昨日(米国時間8/25)イギリスのSEO屋Dave Naylorが書いた記事が、大きなニュースになった。その記事は、クロスサイトスクリプティングに対するTwitterの深刻な脆弱性を詳しく述べている。彼は‘つぶやき’の中の、通常はアプリケーションデベロッパが何かの製品のWebサイトへのリンクを書くような欄にJavaScriptのコードを書くという簡単な方法で、攻撃に成功した。このバグを利用すると、セッションのクッキーを盗む、Twitterワームを作る、あるいは不注意な訪問者にマルウェアを感染させるなど、ありとあらゆる悪事が可能だ。だからこれは、重大なセキュリティ問題と呼んでも過言ではない。 [...]
2 Blog » Blog Archive » The Twitter Exploit That Could Have Stolen Your Info and Much, Much More 890 days ago
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
Update: Your Twitter Account is Still in Jeopardy - Google Live Search 890 days ago
[...] discovered the problem yesterday, and Twitter responded claiming to have fixed it, but Slater proved them wrong, and Twitter has yet [...]
blogging tips 887 days ago
http://glowicki.pldecent info as usual.. i bet many people made $ before it went down
Advertisers Blog » Blog Archive » The Twitter Exploit That Could Have Stolen Your Info and Much, Much More 883 days ago
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
You cannot be careful enough when you are twitter. at comp527 874 days ago
[...] target of many DDoS attacks, (other link) as well as exploits targeting its XSS vulnerabilities (other link). Details of a more interesting attack on Twitter appeared in July this [...]
September Link Clearance « facepalm 866 days ago
[...] link Twitter makes it easy to look good, what with their massive incompetence [...]
The Twitter Exploit That Could Have Stolen Your Info and Much, Much More 814 days ago
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
daforum 807 days ago
http://www.da-forum.comamazing find !
Content Marketing: Yes, this is a Content Scrape. Get Over it! 799 days ago
[...] in point: our original story about the Twitter hack got a fraction of the retweets that the rewrite on Mashable did over the first days as the story [...]
Week 35 in Review – 2009 | Infosec Events 723 days ago
[...] Massive Twitter Cross-Site Scripting Vulnerability – davidnaylor.co.uk [...]
Praetorian Prefect | Persistent XSS on Twitter.com 590 days ago
[...] problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the [...]
Popular News 2010 » Blog Archive » Persistent XSS on Twitter.com 589 days ago
[...] problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the [...]
This Month in the Threat Webscape – June 2010 : CU*Secure 573 days ago
[...] cross-site scripting (XSS) vulnerability was discovered on Twitter. You may recall a similar incident some time ago, but whereas the previous case involved the application URL, this time around [...]
This Month in the Threat Webscape – June 2010 | HackerSafe Security Related Blog for all 554 days ago
[...] cross-site scripting (XSS) vulnerability was discovered on Twitter. You may recall a similar incident some time ago, but whereas the previous case involved the application URL, this time around [...]
XSS: Get linked from dmoz instantly 317 days ago
[...] not the only site to ever become subject to an XSS exploit, twitter has been vulnerable plenty of times, but by golly they fixed [...]
Twitter struggles to plug security hole | Richard Hartley 132 days ago
[...] has a security hole, Photo by Daniel Rothamel/Flickr, Some Rights ReservedYesterday, James Slater with SEO specialist firm Dave Naylor uncovered a security hole on popular micro-blogging service Twitter that could allow accounts and user details to be stolen [...]