Warning: INSERT command denied to user 'dbo290624456'@'74.208.16.205' for table 'watchdog' query: INSERT INTO watchdog (uid, type, message, variables, severity, link, location, referer, hostname, timestamp) VALUES (0, 'php', '%message in %file on line %line.', 'a:4:{s:6:\"%error\";s:12:\"user warning\";s:8:\"%message\";s:378:\"INSERT command denied to user 'dbo290624456'@'74.208.16.205' for table 'captcha_sessions'\nquery: INSERT into captcha_sessions (uid, sid, ip_address, timestamp, form_id, solution, status, attempts) VALUES (0, '2a4ae1f84d8e51488d21028c12d5deb1', '38.107.179.212', 1328465815, 'comment_form', 'undefined', 0, 0)\";s:5:\"%file\";s:87:\"/homepages/30/d251750219/htdocs/tecspeak/sites/tecspeak.com/modules/captcha/captcha.inc\";s:5:\"%line\";i:92 in /homepages/30/d251750219/htdocs/tecspeak/includes/database.mysqli.inc on line 128
XSS flaw in Twitter | Tecspeak.com
user warning: INSERT command denied to user 'dbo290624456'@'74.208.16.205' for table 'captcha_sessions' query: INSERT into captcha_sessions (uid, sid, ip_address, timestamp, form_id, solution, status, attempts) VALUES (0, '2a4ae1f84d8e51488d21028c12d5deb1', '38.107.179.212', 1328465815, 'comment_form', 'undefined', 0, 0) in /homepages/30/d251750219/htdocs/tecspeak/sites/tecspeak.com/modules/captcha/captcha.inc on line 92.

XSS flaw in Twitter

Printer-friendly versionSend to friendPDF version
By kevintilva on 21 Mar 2009 - 09:04
Twitter

Two security researchers have discovered a serious XSS weakness affecting the Twitter, a popular micro-blogging platform. The attack, posted by researchers at Secure Science is an innocuous proof of concept that forces users to send out a predetermined twitter message, but it could be repurposed into a very nasty worm, said Lance James, chief scientist with Secure Science.

Lance James and Eric Wastl, security researchers for Secure Sciences Corporation, have announced that Twitter users are exposed to potentially dangerous attacks, because of a cross-site scripting vulnerability. XSS flaws are the result of poor input validation and generally allow attackers to force unwanted behavior through simple URL manipulation. The hack is similar to a clickjacking attack that was making the rounds on Twitter last month. There, hackers used a sneaky technique to trick users into clicking on a link without realising it. That link would post the Twitter message saying "don't click" along with a URL.

The shortened version of the PoC link has since been disabled by TinyURL, yet the full URL is still available. Clicking on it will first warn users of what they are about to do and ask them if they want to proceed. Hitting "Ok" will automatically post a message that reads "@XSSExploits I just got owned!," on their Twitter page.

"With a technology such as twitter, I could use it to infect massive amounts of twitter readers/users, say with malware or steal their accounts, etc.," Lance James explains for The Register. This is even more dangerous, as most Twitter users have gotten accustomed to simply clicking on TinyURL links without using the service's preview feature to see where they actually lead.

Twitter could disable the attack by fixing the cross site scripting flaw that the Secure Science researchers are exploiting, but if another similar bug were to pop up on the site, users would be faced with the same problem all over again. The issue is made worse by the fact that because of Twitter's 140 character limit, Twitterers use shortened Web links such as Tinyurl.com and often have no idea whether or not they are clicking on a trustworthy web link, James said.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <b>
  • Lines and paragraphs break automatically.
  • You may insert videos with [video:URL]

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.

Most Popular

Most Commented

Most Emailed

Follow Us

www.tecspeak.com © 2012 Tecspeak.com

Warning: INSERT command denied to user 'dbo290624456'@'74.208.16.205' for table 'watchdog' query: INSERT INTO watchdog (uid, type, message, variables, severity, link, location, referer, hostname, timestamp) VALUES (0, 'php', '%message in %file on line %line.', 'a:4:{s:6:\"%error\";s:12:\"user warning\";s:8:\"%message\";s:384:\"INSERT command denied to user &#039;dbo290624456&#039;@&#039;74.208.16.205&#039; for table &#039;accesslog&#039;\nquery: INSERT INTO accesslog (title, path, url, hostname, uid, sid, timer, timestamp) values(&#039;XSS flaw in Twitter | Tecspeak.com&#039;, &#039;node/336&#039;, &#039;&#039;, &#039;38.107.179.212&#039;, 0, &#039;2a4ae1f84d8e51488d21028c12d5deb1&#039;, 491, 1328465815)\";s:5:\"%file\";s:77:\"/homepages/30/d251750219/htdocs/tecspeak/modules/statistics/statistics.module\";s:5:\"%line\"; in /homepages/30/d251750219/htdocs/tecspeak/includes/database.mysqli.inc on line 128