Massive Twitter Cross-Site Scripting Vulnerability

by James Slater
Bronco - Digital Marketing Agency

[NOTE: As if the attention-grabbing title ruining the surprise for you wasn't bad enough, I've got some more bad news. We let Twitter (via Kevin Rose) know about this before it went live but we think  somebody saw the Test ! . ]

So as I’m sure everyone heard about the other day, Twitter recently added rel=nofollow to links produced by their API (e.g. the client you used to send the tweet). I was playing around with some settings today and noticed something interesting.

If you change the link in the application settings, it affects all of the historical tweets generated by the application. So it’s pretty quick and easy to experiment with different URLs and see what happens. I wonder if it’s possible to get rid of that pesky nofollow attribute? Let’s see what happens if we change our ‘Application Website’…..

twitter_rel_external

Surely that wouldn’t work? They must be doing some checks on the URL. Right?

twitter_rel_external_proof

Oh, no, wait. It works. A clean, followed link out of Twitter again. Isn’t that nice?

Actually, if they were that stupid… what’s to say I couldn’t drop some other content in there? Yup, that works too. Take a look for yourself. Do I hear anyone saying “cross-site scripting”?

If I was going to be mean, I could have made that JavaScript steal your login cookie and send it to us. Or maybe to someone else? Perhaps I could drop a few trending hashtags in there and see how many people look at my tweet. Or worse – why not use Twitter’s own handily-available API to, I dunno, post a few tweets?

Any Twitter application developers out there I wonder? Maybe I could be more subtle about it, just drop a script in there that goes to their application settings page and changes their URL to drop some malware links around the place. Let’s just hope that the developers of TweetDeck or TwitterFox don’t look at any of my tweets!

“Taking Down Twitter” on my blog.

Edit: Twitter have suspended the @apifail account – no big surprise there. That does mean you can’t see the demonstration though: it would just pop up a JavaScript alert box whenever the tweet was viewed. Obviously if it could do that… the world is your oyster! We recorded a quick video of it in action if you didn’t see if for yourself, we’ll post it tomorrow.

Bronco - Digital Marketing Agency
Making your inbox more interesting
Looking to keep up to date, or find out those things we can’t mention on the blog? Then sign up to our semi-regular newsletter. Don’t worry, we won’t spam you.

55 Comments

Get in Touch

Things are better when they’re made simpler. That’s why the David Naylor blog is now just that; a blog. No sales pages, no contact form - just interesting* info about SEO.

If you’d like to find out more about the Digital Marketing services we do provide then head over to Bronco (our main company website) to get in touch.

Get in Touch Today * Interestingness not guaranteed
Part of the Bronco family