miércoles, 26 de agosto de 2009

Vulnerabilidad XSS en twitter

[NOTE: As if the attention-grabbing title ruining the surprise for you wasn't bad enough, I've got some more bad news. We let Twitter (via Kevin Rose) know about this before it went live but we think somebody saw the Test ! . ]

So as I’m sure everyone heard about the other day, Twitter recently added rel=nofollow to links produced by their API (e.g. the client you used to send the tweet). I was playing around with some settings today and noticed something interesting.

If you change the link in the application settings, it affects all of the historical tweets generated by the application. So it’s pretty quick and easy to experiment with different URLs and see what happens. I wonder if it’s possible to get rid of that pesky nofollow attribute? Let’s see what happens if we change our ‘Application Website’…..

twitter_rel_external

Surely that wouldn’t work? They must be doing some checks on the URL. Right?

twitter_rel_external_proof

Oh, no, wait. It works. A clean, followed link out of Twitter again. Isn’t that nice?

Actually, if they were that stupid… what’s to say I couldn’t drop some other content in there? Yup, that works too. Take a look for yourself. Do I hear anyone saying “cross-site scripting”?

If I was going to be mean, I could have made that JavaScript steal your login cookie and send it to us. Or maybe to someone else? Perhaps I could drop a few trending hashtags in there and see how many people look at my tweet. Or worse - why not use Twitter’s own handily-available API to, I dunno, post a few tweets?

Any Twitter application developers out there I wonder? Maybe I could be more subtle about it, just drop a script in there that goes to their application settings page and changes their URL to drop some malware links around the place. Let’s just hope that the developers of TweetDeck or TwitterFox don’t look at any of my tweets!

James

Edit: Twitter have suspended the @apifail account - no big surprise there. That does mean you can’t see the demonstration though: it would just pop up a JavaScript alert box whenever the tweet was viewed. Obviously if it could do that… the world is your oyster! We recorded a quick video of it in action if you didn’t see if for yourself, we’ll post it tomorrow.


Fuente original y comentarios de usuarios en www.davidnaylor.co.uk



No hay comentarios: