Massive Twitter Cross-Site Scripting Vulnerability
[NOTE: As if the attention-grabbing title ruining the surprise for you wasn’t bad enough, I’ve got some more bad news. We let Twitter (via Kevin Rose) know about this before it went live but we think somebody saw the Test ! . ]
So as I’m sure everyone heard about the other day, Twitter recently added rel=nofollow to links produced by their API (e.g. the client you used to send the tweet). I was playing around with some settings today and noticed something interesting.
If you change the link in the application settings, it affects all of the historical tweets generated by the application. So it’s pretty quick and easy to experiment with different URLs and see what happens. I wonder if it’s possible to get rid of that pesky nofollow attribute? Let’s see what happens if we change our ‘Application Website’…..

Surely that wouldn’t work? They must be doing some checks on the URL. Right?

Oh, no, wait. It works. A clean, followed link out of Twitter again. Isn’t that nice?
Actually, if they were that stupid… what’s to say I couldn’t drop some other content in there? Yup, that works too. Take a look for yourself. Do I hear anyone saying “cross-site scripting”?
If I was going to be mean, I could have made that JavaScript steal your login cookie and send it to us. Or maybe to someone else? Perhaps I could drop a few trending hashtags in there and see how many people look at my tweet. Or worse – why not use Twitter’s own handily-available API to, I dunno, post a few tweets?
Any Twitter application developers out there I wonder? Maybe I could be more subtle about it, just drop a script in there that goes to their application settings page and changes their URL to drop some malware links around the place. Let’s just hope that the developers of TweetDeck or TwitterFox don’t look at any of my tweets!
“Taking Down Twitter” on my blog.
Edit: Twitter have suspended the @apifail account – no big surprise there. That does mean you can’t see the demonstration though: it would just pop up a JavaScript alert box whenever the tweet was viewed. Obviously if it could do that… the world is your oyster! We recorded a quick video of it in action if you didn’t see if for yourself, we’ll post it tomorrow.
55 Comments
seosnafu - http://seosnafu.blogspot.com
O.M.F.G.
Tiger - http://www.seoblackout.com
Nice find 🙂
Aussiewebmaster
Interesting that I am finding this page from this http://ow.ly/2boYiY url – now what sort of canonical issues will that have?
Greg - http://blog.himselfprod.com
Great Job !
Continue in this way 🙂
DaveN
@Aussiewebmaster we will see won’t we 😉 it should give me so decent data
Massive Twitter Cross-Site Scripting Vulnerability | Hack In The Box - pingback
[…] reading here: Massive Twitter Cross-Site Scripting Vulnerability Share and […]
Kean - http://www.keanrichmond.com
Surely some reward must be due. With great power comes great responsibility…. and freebies
Michael - http://www.miscellus.com
I’m glad you alerted Twitter. That was a nice find.
John Adams
We have patched this issue as of a few hours ago.
–john
Twitter Operations
jgg
Once again, Twitter fails at security. They seem to be good at this.
Dan Allen - http://montpelierwebsites.com
David, I understand this is a big deal, so I am trying to retrace your steps, in order to understand exactly how this works.
I am stuck at “If you change the link in the application settings”. How do I do that? I do not know what application you are referring to. Sorry to be the slow poke… just looking for a little more info so I see how this works and then evaluate for myself what it means.
Any information you can provide will be extremely much appreciated.
Thanks,
Dan
alex - http://www.alexanderdickson.com
That ApiFail twitter account has been closed now!
Suneel - http://teamnirvana.com/blog
That’s a ludicrous thing that Twitter guys do not have an eye on. How can Twitter developers be o nthe constant prowl without checking all these sort of things?
I think they need to be presented a book related to hacks on websites and ask them to block all those kind of attacks. Earlier it was a basic DDoS which they failed to obstruct and now SiteScripting and what next??Edit their API settings without letting them be aware of it!! Might be on the next to-do list of hackers.
Jatin - http://www.technogarage.blogspot.com
Nice find …keep it up dude!!
Aroxo - http://www.aroxo.co.uk
For some reason I thought RoR protected you from XSS as a default, but clearly not… School boy error from a developer here and a pretty poot lack of testing.
Carps - http://www.itsafamilything.co.uk
Good to see that Twitter have graciously acknowledged this :/
Carps - http://www.itsafamilything.co.uk
Also (as I’m sure we might point out later) if this was really patched “as of a few hours ago” it’s amusing to see that we’ve still got a working demo of it on another ID
🙂
Jonathan Alderson - http://www.twentysixsearch.com
Wow, that’s rather stunning – who would have thought of even attempting cross site scripting on Twitter? One just assumes that they’ve some rudimentary validation in place…
Gareth Trufitt - http://trufitt.com
What an oversight on Twitter’s part! Surely that is something they would check before they put it live… Although they don’t seem too up with security and spam, it really is getting over run with spam bots now.
Nice find
m0nk5y - http://m0nk5y.com
Grate find! I do not think twitter invests a lot of time in to these issues. Thanks for sharing that one!
The Twitter Exploit That Could Have Stolen Your Info and Much, Much More « Internet Marketing KB - pingback
[…] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you […]
Gaucho SEO - http://www.gauchoseo.com.ar
the account is suspended 🙁
Ben McKay - http://www.justmeandmy.com
@Gauche SEO, the second API fail account is still live: http://twitter.com/apifail2
A tad worrying but surprised you shared Dave – lol! Cool find though 🙂
Massive Twitter Security Problem Not Resolved Just Yet - pingback
[…] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field […]
Vulnerabilidad crítica en Twitter [ENG] - pingback
[…] Vulnerabilidad crítica en Twitter [ENG]www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-v… por sregueira hace pocos segundos […]
Matthias - http://swisstweets.ch/
I get a Javascript Alert if I search for ‘apifail’ in the Twitter search (right sidebar). Is it just me? Here’s a screenshot: http://twitpic.com/fbjfo
Matthias - http://swisstweets.ch/
I get a Javascript Alert if I search for ‘apifail2’ in the Twitter search (right sidebar). Is it just me? Here’s a screenshot: http://twitpic.com/fbjfo
(sorry if this appears twice, just delete the other comment… WP is a bit annoying sometimes)
Massive Twitter Security Problem Not Resolved Just Yet | Anthonyrobinson.info - pingback
[…] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field […]
Massive Twitter Security Problem Not Resolved Just Yet | Twimmer.com :: Twitter News - pingback
[…] Yesterday UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field […]
Ted Muller
Twitter’s IT department is by far the worst IT department I’ve seen in my entire life. The API is crap, Twitter doesn’t run stable and is not secure at all.
But actually, that’s really no surprise, considering that the company is headed by two guys (Ev and Biz) who don’t have the slightest idea of what computer science is.
Idea nice, execution bad. Replace the whole management by some educated computer scientists!
Massive Twitter Security Problem Not Resolved Just Yet | Family Learning Center - pingback
[…] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field […]
Security Briefing – August 26th : Liquidmatrix Security Digest - pingback
[…] Massive Twitter Cross Site Scripting Vulnerability – David Naylor […]
Your Twitter Account is in Jeopardy - News: Everything-e - pingback
[…] discovered the problem yesterday, and Twitter responded claiming to have fixed it, but Slater proved them wrong, and Twitter has yet […]
mafutrct - http://mafutrct.wordpress.com/
Nice find, thank you. I’m surprised a company as big as twitter fails at such basic stuff. Wait, scratch that.
Massive Twitter Security Problem Not Resolved Just Yet | Technology - pingback
[…] UK-based SEO specialist Dave Naylor made headlines by detailing a significant Twitter cross-site scripting vulnerability, which allowed him to insert JavaScript code into tweets simply by adding some code to the field […]
Daniel Aristizabal Romero (cronopio) 's status on Wednesday, 26-Aug-09 18:23:11 UTC - Identi.ca - pingback
[…] http://www.davidnaylor.co.uk/massive-twitter-cross-site-scripting-vulnerability.html […]
Live-Point Official Blog » Blog Archive » Massive Twitter Cross-Site Scripting Vulnerability - pingback
[…] Here is the original post: Massive Twitter Cross-Site Scripting Vulnerability […]
Linkpost | 8.26.2009 - L&C Tech Talk - pingback
[…] • Twitter’s In Your Tweets Trackin’ Your Links – Temporarily, anyway. Tracking code was in Twitter’s links, and now it’s gone. The company has talked about offering stats services to businesses, and maybe this was a test. Also Massive Twitter Cross-Site Scripting Vulnerability […]
Twitterの重大なセキュリティ問題がまだ未解決状態のままだ - pingback
[…] 昨日(米国時間8/25)イギリスのSEO屋Dave Naylorが書いた記事が、大きなニュースになった。その記事は、クロスサイトスクリプティングに対するTwitterの深刻な脆弱性を詳しく述べている。彼は‘つぶやき’の中の、通常はアプリケーションデベロッパが何かの製品のWebサイトへのリンクを書くような欄にJavaScriptのコードを書くという簡単な方法で、攻撃に成功した。このバグを利用すると、セッションのクッキーを盗む、Twitterワームを作る、あるいは不注意な訪問者にマルウェアを感染させるなど、ありとあらゆる悪事が可能だ。だからこれは、重大なセキュリティ問題と呼んでも過言ではない。 […]
2 Blog » Blog Archive » The Twitter Exploit That Could Have Stolen Your Info and Much, Much More - pingback
[…] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you […]
Update: Your Twitter Account is Still in Jeopardy - Google Live Search - pingback
[…] discovered the problem yesterday, and Twitter responded claiming to have fixed it, but Slater proved them wrong, and Twitter has yet […]
blogging tips - http://glowicki.pl
decent info as usual.. i bet many people made $ before it went down
Advertisers Blog » Blog Archive » The Twitter Exploit That Could Have Stolen Your Info and Much, Much More - pingback
[…] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you […]
You cannot be careful enough when you are twitter. at comp527 - pingback
[…] target of many DDoS attacks, (other link) as well as exploits targeting its XSS vulnerabilities (other link). Details of a more interesting attack on Twitter appeared in July this […]
September Link Clearance « facepalm - pingback
[…] link Twitter makes it easy to look good, what with their massive incompetence […]
The Twitter Exploit That Could Have Stolen Your Info and Much, Much More - pingback
[…] is David’s explanation on his blog: “Twitter recently added rel=nofollow to links produced by their API (e.g. the client you […]
daforum - http://www.da-forum.com
amazing find !
Content Marketing: Yes, this is a Content Scrape. Get Over it! - pingback
[…] in point: our original story about the Twitter hack got a fraction of the retweets that the rewrite on Mashable did over the first days as the story […]
Week 35 in Review – 2009 | Infosec Events - pingback
[…] Massive Twitter Cross-Site Scripting Vulnerability – davidnaylor.co.uk […]
Praetorian Prefect | Persistent XSS on Twitter.com - pingback
[…] problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the […]
Popular News 2010 » Blog Archive » Persistent XSS on Twitter.com - pingback
[…] problem is similar to one described last August by James Slater. That time around the issue was with the application URL, this time it appears the […]
This Month in the Threat Webscape – June 2010 : CU*Secure - pingback
[…] cross-site scripting (XSS) vulnerability was discovered on Twitter. You may recall a similar incident some time ago, but whereas the previous case involved the application URL, this time around […]
This Month in the Threat Webscape – June 2010 | HackerSafe Security Related Blog for all - pingback
[…] cross-site scripting (XSS) vulnerability was discovered on Twitter. You may recall a similar incident some time ago, but whereas the previous case involved the application URL, this time around […]
XSS: Get linked from dmoz instantly - pingback
[…] not the only site to ever become subject to an XSS exploit, twitter has been vulnerable plenty of times, but by golly they fixed […]
Twitter struggles to plug security hole | Richard Hartley - pingback
[…] has a security hole, Photo by Daniel Rothamel/Flickr, Some Rights ReservedYesterday, James Slater with SEO specialist firm Dave Naylor uncovered a security hole on popular micro-blogging service Twitter that could allow accounts and user details to be stolen […]