[NOTE: As if the attention-grabbing title ruining the surprise for you wasn't bad enough, I've got some more bad news. We let Twitter (via Kevin Rose) know about this before it went live but we think somebody saw the Test ! . ]
So as I’m sure everyone heard about the other day, Twitter recently added rel=nofollow to links produced by their API (e.g. the client you used to send the tweet). I was playing around with some settings today and noticed something interesting.
If you change the link in the application settings, it affects all of the historical tweets generated by the application. So it’s pretty quick and easy to experiment with different URLs and see what happens. I wonder if it’s possible to get rid of that pesky nofollow attribute? Let’s see what happens if we change our ‘Application Website’…..
Surely that wouldn’t work? They must be doing some checks on the URL. Right?
Oh, no, wait. It works. A clean, followed link out of Twitter again. Isn’t that nice?
Actually, if they were that stupid… what’s to say I couldn’t drop some other content in there? Yup, that works too. Take a look for yourself. Do I hear anyone saying “cross-site scripting”?
If I was going to be mean, I could have made that JavaScript steal your login cookie and send it to us. Or maybe to someone else? Perhaps I could drop a few trending hashtags in there and see how many people look at my tweet. Or worse – why not use Twitter’s own handily-available API to, I dunno, post a few tweets?
Any Twitter application developers out there I wonder? Maybe I could be more subtle about it, just drop a script in there that goes to their application settings page and changes their URL to drop some malware links around the place. Let’s just hope that the developers of TweetDeck or TwitterFox don’t look at any of my tweets!
Edit: Twitter have suspended the @apifail account – no big surprise there. That does mean you can’t see the demonstration though: it would just pop up a JavaScript alert box whenever the tweet was viewed. Obviously if it could do that… the world is your oyster! We recorded a quick video of it in action if you didn’t see if for yourself, we’ll post it tomorrow.
48 Comments
-
- 2
Nice find
- 3
Interesting that I am finding this page from this http://ow.ly/2boYiY url – now what sort of canonical issues will that have?
- 4
Great Job !
Continue in this way - 5
@Aussiewebmaster we will see won’t we
it should give me so decent data - 6
[...] reading here: Massive Twitter Cross-Site Scripting Vulnerability Share and [...]
- 7
Surely some reward must be due. With great power comes great responsibility…. and freebies
- 8
I’m glad you alerted Twitter. That was a nice find.
- 9
We have patched this issue as of a few hours ago.
–john
Twitter Operations - 10
Once again, Twitter fails at security. They seem to be good at this.
- 11
David, I understand this is a big deal, so I am trying to retrace your steps, in order to understand exactly how this works.
I am stuck at “If you change the link in the application settings”. How do I do that? I do not know what application you are referring to. Sorry to be the slow poke… just looking for a little more info so I see how this works and then evaluate for myself what it means.
Any information you can provide will be extremely much appreciated.
Thanks,
Dan - 12
That ApiFail twitter account has been closed now!
- 13
That’s a ludicrous thing that Twitter guys do not have an eye on. How can Twitter developers be o nthe constant prowl without checking all these sort of things?
I think they need to be presented a book related to hacks on websites and ask them to block all those kind of attacks. Earlier it was a basic DDoS which they failed to obstruct and now SiteScripting and what next??Edit their API settings without letting them be aware of it!! Might be on the next to-do list of hackers.
- 14
Nice find …keep it up dude!!
- 15
For some reason I thought RoR protected you from XSS as a default, but clearly not… School boy error from a developer here and a pretty poot lack of testing.
- 16
Good to see that Twitter have graciously acknowledged this :/
- 17
Also (as I’m sure we might point out later) if this was really patched “as of a few hours ago” it’s amusing to see that we’ve still got a working demo of it on another ID
- 18
Wow, that’s rather stunning – who would have thought of even attempting cross site scripting on Twitter? One just assumes that they’ve some rudimentary validation in place…
- 19
What an oversight on Twitter’s part! Surely that is something they would check before they put it live… Although they don’t seem too up with security and spam, it really is getting over run with spam bots now.
Nice find
- 20
Grate find! I do not think twitter invests a lot of time in to these issues. Thanks for sharing that one!
- 21
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
- 22
the account is suspended
- 23
@Gauche SEO, the second API fail account is still live: http://twitter.com/apifail2
A tad worrying but surprised you shared Dave – lol! Cool find though
- 24
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
- 25
[...] Vulnerabilidad crítica en Twitter [ENG]www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-v… por sregueira hace pocos segundos [...]
- 26
I get a Javascript Alert if I search for ‘apifail’ in the Twitter search (right sidebar). Is it just me? Here’s a screenshot: http://twitpic.com/fbjfo
- 27
I get a Javascript Alert if I search for ‘apifail2′ in the Twitter search (right sidebar). Is it just me? Here’s a screenshot: http://twitpic.com/fbjfo
(sorry if this appears twice, just delete the other comment… WP is a bit annoying sometimes)
- 28
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
- 29
[...] Yesterday UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
- 30
Twitter’s IT department is by far the worst IT department I’ve seen in my entire life. The API is crap, Twitter doesn’t run stable and is not secure at all.
But actually, that’s really no surprise, considering that the company is headed by two guys (Ev and Biz) who don’t have the slightest idea of what computer science is.
Idea nice, execution bad. Replace the whole management by some educated computer scientists!
- 31
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
- 32
[...] Massive Twitter Cross Site Scripting Vulnerability – David Naylor [...]
- 33
[...] discovered the problem yesterday, and Twitter responded claiming to have fixed it, but Slater proved them wrong, and Twitter has yet [...]
- 34
Nice find, thank you. I’m surprised a company as big as twitter fails at such basic stuff. Wait, scratch that.
- 35
[...] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field [...]
- 37
[...] Here is the original post: Massive Twitter Cross-Site Scripting Vulnerability [...]
- 38
[...] • Twitter’s In Your Tweets Trackin’ Your Links – Temporarily, anyway. Tracking code was in Twitter’s links, and now it’s gone. The company has talked about offering stats services to businesses, and maybe this was a test. Also Massive Twitter Cross-Site Scripting Vulnerability [...]
- 39
[...] 昨日(米国時間8/25)イギリスのSEO屋Dave Naylorが書いた記事が、大きなニュースになった。その記事は、クロスサイトスクリプティングに対するTwitterの深刻な脆弱性を詳しく述べている。彼は‘つぶやき’の中の、通常はアプリケーションデベロッパが何かの製品のWebサイトへのリンクを書くような欄にJavaScriptのコードを書くという簡単な方法で、攻撃に成功した。このバグを利用すると、セッションのクッキーを盗む、Twitterワームを作る、あるいは不注意な訪問者にマルウェアを感染させるなど、ありとあらゆる悪事が可能だ。だからこれは、重大なセキュリティ問題と呼んでも過言ではない。 [...]
- 40
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
- 41
[...] discovered the problem yesterday, and Twitter responded claiming to have fixed it, but Slater proved them wrong, and Twitter has yet [...]
- 42
decent info as usual.. i bet many people made $ before it went down
- 43
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
- 44
[...] target of many DDoS attacks, (other link) as well as exploits targeting its XSS vulnerabilities (other link). Details of a more interesting attack on Twitter appeared in July this [...]
- 45
[...] link Twitter makes it easy to look good, what with their massive incompetence [...]
- 46
[...] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you [...]
- 47
amazing find !
- 48
[...] in point: our original story about the Twitter hack got a fraction of the retweets that the rewrite on Mashable did over the first days as the story [...]
O.M.F.G.