Massive Twitter Cross-Site Scripting Vulnerability
[NOTE: As if the attention-grabbing title ruining the surprise for you wasn't bad enough, I've got some more bad news. We let Twitter (via Kevin Rose) know about this before it went live but we think somebody saw the Test ! . ]
So as I’m sure everyone heard about the other day, Twitter recently added rel=nofollow to links produced by their API (e.g. the client you used to send the tweet). I was playing around with some settings today and noticed something interesting.
If you change the link in the application settings, it affects all of the historical tweets generated by the application. So it’s pretty quick and easy to experiment with different URLs and see what happens. I wonder if it’s possible to get rid of that pesky nofollow attribute? Let’s see what happens if we change our ‘Application Website’…..
Surely that wouldn’t work? They must be doing some checks on the URL. Right?
Oh, no, wait. It works. A clean, followed link out of Twitter again. Isn’t that nice?
Actually, if they were that stupid… what’s to say I couldn’t drop some other content in there? Yup, that works too. Take a look for yourself. Do I hear anyone saying “cross-site scripting”?
If I was going to be mean, I could have made that JavaScript steal your login cookie and send it to us. Or maybe to someone else? Perhaps I could drop a few trending hashtags in there and see how many people look at my tweet. Or worse – why not use Twitter’s own handily-available API to, I dunno, post a few tweets?
Any Twitter application developers out there I wonder? Maybe I could be more subtle about it, just drop a script in there that goes to their application settings page and changes their URL to drop some malware links around the place. Let’s just hope that the developers of TweetDeck or TwitterFox don’t look at any of my tweets!
Edit: Twitter have suspended the @apifail account – no big surprise there. That does mean you can’t see the demonstration though: it would just pop up a JavaScript alert box whenever the tweet was viewed. Obviously if it could do that… the world is your oyster! We recorded a quick video of it in action if you didn’t see if for yourself, we’ll post it tomorrow.
seosnafu 1366 days ago
http://seosnafu.blogspot.comO.M.F.G.
Tiger 1366 days ago
http://www.seoblackout.comNice find
Aussiewebmaster 1366 days ago
Interesting that I am finding this page from this http://ow.ly/2boYiY url – now what sort of canonical issues will that have?
Greg 1366 days ago
http://blog.himselfprod.comGreat Job !
Continue in this way
DaveN 1366 days ago
@Aussiewebmaster we will see won’t we
it should give me so decent data
Massive Twitter Cross-Site Scripting Vulnerability | Hack In The Box 1366 days ago
[...] reading here: Massive Twitter Cross-Site Scripting Vulnerability Share and [...]
Kean 1366 days ago
http://www.keanrichmond.comSurely some reward must be due. With great power comes great responsibility…. and freebies
Michael 1366 days ago
http://www.miscellus.comI’m glad you alerted Twitter. That was a nice find.
John Adams 1366 days ago
We have patched this issue as of a few hours ago.
–john
Twitter Operations
jgg 1366 days ago
Once again, Twitter fails at security. They seem to be good at this.
Dan Allen 1365 days ago
http://montpelierwebsites.comDavid, I understand this is a big deal, so I am trying to retrace your steps, in order to understand exactly how this works.
I am stuck at “If you change the link in the application settings”. How do I do that? I do not know what application you are referring to. Sorry to be the slow poke… just looking for a little more info so I see how this works and then evaluate for myself what it means.
Any information you can provide will be extremely much appreciated.
Thanks,
Dan
alex 1365 days ago
http://www.alexanderdickson.comThat ApiFail twitter account has been closed now!
Suneel 1365 days ago
http://teamnirvana.com/blogThat’s a ludicrous thing that Twitter guys do not have an eye on. How can Twitter developers be o nthe constant prowl without checking all these sort of things?
I think they need to be presented a book related to hacks on websites and ask them to block all those kind of attacks. Earlier it was a basic DDoS which they failed to obstruct and now SiteScripting and what next??Edit their API settings without letting them be aware of it!! Might be on the next to-do list of hackers.
Jatin 1365 days ago
http://www.technogarage.blogspot.comNice find …keep it up dude!!
Aroxo 1365 days ago
http://www.aroxo.co.ukFor some reason I thought RoR protected you from XSS as a default, but clearly not… School boy error from a developer here and a pretty poot lack of testing.
Carps 1365 days ago
http://www.itsafamilything.co.ukGood to see that Twitter have graciously acknowledged this :/
Carps 1365 days ago
http://www.itsafamilything.co.ukAlso (as I’m sure we might point out later) if this was really patched “as of a few hours ago” it’s amusing to see that we’ve still got a working demo of it on another ID
Jonathan Alderson 1365 days ago
http://www.twentysixsearch.comWow, that’s rather stunning – who would have thought of even attempting cross site scripting on Twitter? One just assumes that they’ve some rudimentary validation in place…
Gareth Trufitt 1365 days ago
http://trufitt.comWhat an oversight on Twitter’s part! Surely that is something they would check before they put it live… Although they don’t seem too up with security and spam, it really is getting over run with spam bots now.
Nice find
m0nk5y 1365 days ago
http://m0nk5y.comGrate find! I do not think twitter invests a lot of time in to these issues. Thanks for sharing that one!
The Twitter Exploit That Could Have Stolen Your Info and Much, Much More « Internet Marketing KB 1365 days ago
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
Gaucho SEO 1365 days ago
http://www.gauchoseo.com.arthe account is suspended
Ben McKay 1365 days ago
http://www.justmeandmy.com@Gauche SEO, the second API fail account is still live: http://twitter.com/apifail2
A tad worrying but surprised you shared Dave – lol! Cool find though
Massive Twitter Security Problem Not Resolved Just Yet 1365 days ago
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Vulnerabilidad crítica en Twitter [ENG] 1365 days ago
[...] Vulnerabilidad crítica en Twitter [ENG]www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-v… por sregueira hace pocos segundos [...]
Matthias 1365 days ago
http://swisstweets.ch/I get a Javascript Alert if I search for ‘apifail’ in the Twitter search (right sidebar). Is it just me? Here’s a screenshot: http://twitpic.com/fbjfo
Matthias 1365 days ago
http://swisstweets.ch/I get a Javascript Alert if I search for ‘apifail2′ in the Twitter search (right sidebar). Is it just me? Here’s a screenshot: http://twitpic.com/fbjfo
(sorry if this appears twice, just delete the other comment… WP is a bit annoying sometimes)
Massive Twitter Security Problem Not Resolved Just Yet | Anthonyrobinson.info 1365 days ago
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Massive Twitter Security Problem Not Resolved Just Yet | Twimmer.com :: Twitter News 1365 days ago
[...] Yesterday UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Ted Muller 1365 days ago
Twitter’s IT department is by far the worst IT department I’ve seen in my entire life. The API is crap, Twitter doesn’t run stable and is not secure at all.
But actually, that’s really no surprise, considering that the company is headed by two guys (Ev and Biz) who don’t have the slightest idea of what computer science is.
Idea nice, execution bad. Replace the whole management by some educated computer scientists!
Massive Twitter Security Problem Not Resolved Just Yet | Family Learning Center 1365 days ago
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Security Briefing – August 26th : Liquidmatrix Security Digest 1365 days ago
[...] Massive Twitter Cross Site Scripting Vulnerability – David Naylor [...]
Your Twitter Account is in Jeopardy - News: Everything-e 1365 days ago
[...] discovered the problem yesterday, and Twitter responded claiming to have fixed it, but Slater proved them wrong, and Twitter has yet [...]
mafutrct 1365 days ago
http://mafutrct.wordpress.com/Nice find, thank you. I’m surprised a company as big as twitter fails at such basic stuff. Wait, scratch that.
Massive Twitter Security Problem Not Resolved Just Yet | Technology 1365 days ago
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
Daniel Aristizabal Romero (cronopio) 's status on Wednesday, 26-Aug-09 18:23:11 UTC - Identi.ca 1365 days ago
[...] http://www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-vulnerability.html [...]
Live-Point Official Blog » Blog Archive » Massive Twitter Cross-Site Scripting Vulnerability 1365 days ago
[...] Here is the original post: Massive Twitter Cross-Site Scripting Vulnerability [...]
Linkpost | 8.26.2009 - L&C Tech Talk 1365 days ago
[...] • Twitter’s In Your Tweets Trackin’ Your Links – Temporarily, anyway. Tracking code was in Twitter’s links, and now it’s gone. The company has talked about offering stats services to businesses, and maybe this was a test. Also Massive Twitter Cross-Site Scripting Vulnerability [...]
Twitterの重大なセキュリティ問題がまだ未解決状態のままだ 1364 days ago
[...] 昨日(米国時間8/25)イギリスのSEO屋Dave Naylorが書いた記事が、大きなニュースになった。その記事は、クロスサイトスクリプティングに対するTwitterの深刻な脆弱性を詳しく述べている。彼は‘つぶやき’の中の、通常はアプリケーションデベロッパが何かの製品のWebサイトへのリンクを書くような欄にJavaScriptのコードを書くという簡単な方法で、攻撃に成功した。このバグを利用すると、セッションのクッキーを盗む、Twitterワームを作る、あるいは不注意な訪問者にマルウェアを感染させるなど、ありとあらゆる悪事が可能だ。だからこれは、重大なセキュリティ問題と呼んでも過言ではない。 [...]
2 Blog » Blog Archive » The Twitter Exploit That Could Have Stolen Your Info and Much, Much More 1363 days ago
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
Update: Your Twitter Account is Still in Jeopardy - Google Live Search 1363 days ago
[...] discovered the problem yesterday, and Twitter responded claiming to have fixed it, but Slater proved them wrong, and Twitter has yet [...]
blogging tips 1360 days ago
http://glowicki.pldecent info as usual.. i bet many people made $ before it went down
Advertisers Blog » Blog Archive » The Twitter Exploit That Could Have Stolen Your Info and Much, Much More 1356 days ago
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
You cannot be careful enough when you are twitter. at comp527 1347 days ago
[...] target of many DDoS attacks, (other link) as well as exploits targeting its XSS vulnerabilities (other link). Details of a more interesting attack on Twitter appeared in July this [...]
September Link Clearance « facepalm 1339 days ago
[...] link Twitter makes it easy to look good, what with their massive incompetence [...]
The Twitter Exploit That Could Have Stolen Your Info and Much, Much More 1287 days ago
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
daforum 1280 days ago
http://www.da-forum.comamazing find !
Content Marketing: Yes, this is a Content Scrape. Get Over it! 1273 days ago
[...] in point: our original story about the Twitter hack got a fraction of the retweets that the rewrite on Mashable did over the first days as the story [...]
Week 35 in Review – 2009 | Infosec Events 1196 days ago
[...] Massive Twitter Cross-Site Scripting Vulnerability – davidnaylor.co.uk [...]
Praetorian Prefect | Persistent XSS on Twitter.com 1063 days ago
[...] problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the [...]
Popular News 2010 » Blog Archive » Persistent XSS on Twitter.com 1063 days ago
[...] problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the [...]
This Month in the Threat Webscape – June 2010 : CU*Secure 1046 days ago
[...] cross-site scripting (XSS) vulnerability was discovered on Twitter. You may recall a similar incident some time ago, but whereas the previous case involved the application URL, this time around [...]
This Month in the Threat Webscape – June 2010 | HackerSafe Security Related Blog for all 1028 days ago
[...] cross-site scripting (XSS) vulnerability was discovered on Twitter. You may recall a similar incident some time ago, but whereas the previous case involved the application URL, this time around [...]
XSS: Get linked from dmoz instantly 790 days ago
[...] not the only site to ever become subject to an XSS exploit, twitter has been vulnerable plenty of times, but by golly they fixed [...]
Twitter struggles to plug security hole | Richard Hartley 605 days ago
[...] has a security hole, Photo by Daniel Rothamel/Flickr, Some Rights ReservedYesterday, James Slater with SEO specialist firm Dave Naylor uncovered a security hole on popular micro-blogging service Twitter that could allow accounts and user details to be stolen [...]