Researcher Confirms XSS Vulnerability on Twitter

Latest news
Facebook Targeted with Valentine Attack Results in Malware FBI Likely Deployed Spyware for Surveillance on MegaUpload Cidrex Trojan Opens E-mail ids in ‘Yahoo,’ Uses CAPTCHA to secure them E-mail Supposedly Inviting to Conference, Serves Trojan Collaborated Effort towards Evading Spam

Support our Sponsors

uClip Clipping Path Service

Main Menu

Resources

Login
Username Password Remember Me Forgot your password? Forgot your username? Create an account

Syndicate

Popular
Amazon Accountholders get Fresh Phishing E-mail Enterprises Facilitated through Malware Circulation in Government Cyber-criminals Execute e-Payment Malware Assault Eleven Survey Rated Spam the Biggest E-mail Security Threat in Ten Years Websites Diverting End-users onto ‘Blackhole’ Increasing Within Russia: ESET

Trampolines usa

Researcher Confirms XSS Vulnerability on Twitter

Written by Administrator

Saturday, 03 July 2010 11:00

An XSS (cross-site scripting) security flaw has been demonstrated on Twitter - the micro-blogging website. If the security flaw is exploited, it can allow hackers compromise the accounts of Twitter users or disseminate malicious software.

A security researcher from Indonesia, using the name "H4x0r-x0x" as well as using Twitter handle "Own3d_5ys," found the flaw. He demonstrated the flaw through his private Twitter account, as reported by SCMagazine on June 24, 2010.

The flaw emanates from non-validation of input pertaining to the name field of software while allowing fresh requests for different Twitter programs. When a user accesses his Twitter account, two XSS alert windows surface following which there is manipulation of the browser and eventually the user steps into the matrix when e-mails arrive from the flaw's founder.

Daniel Kennedy, partner at Praetorian Security Group, states that he hasn't seen attackers use the flaw, nonetheless that can obviously take a turn.

In the meantime, it appears that the problem resembles the one James Slater (the software developer) described during August 2009. That problem was related to 'Twitter's API (Application Programming Interface), which developers utilized for making software to post messages on the site. Evidently, the API didn't accurately scan the programs' URL, so one could inject a malevolent JavaScript together with an URL.

It has been observed that Twitter's XSS flaws have been effectively exploited for compromising accounts and for creating worms such as StalkDaily or Mikeyy. Account compromise following infection is possible if the user simply goes to a profile that contains a malevolent JavaScript. With this, a website virus can be created wholly self-propagating in nature as against some more recent phishing assaults that steal the credentials of a user through a false Twitter page.

Meanwhile, the current XSS vulnerability in Twitter is possibly the first such dangerous one since 2010 started. The security investigators state that the micro-blogging site should fix it fast because the flaw has already become public as well as in existence for many days.

Notably, an associate researcher has informed Twitter about the problem as well as to Director Del Harvey of the Trust and Safety Team of Twitter.

Read full article...