This morning I was looking around Twitter and I noticed that a few people were working on testing a persistent XSS script. Finally someone got it right (not sure who discovered it originally). I was able to recreate what they did for a demo. It seems that when parsing an HTTP link the javascript is executed directly on Twitter. Here is working example:
http://twitter.com/#@"onmouseover="javascript:alert('xss');"/
When you tweet this and then "mouseover" the link you will get a javascript alert provided you aren't blocking scripts (some browsers also block this too). I tested this on Google Chrome (latest release). This goes to show that nothing is 100% secure. I suggest that everyone not use the twitter.com web client until they fix this issue as you can only imagine the amount of attacks that are forth coming.
**Update: The issue is apparently fixed although I have only seen 1 person confirm that. Still waiting for an "official" announcement from Twitter that the issue has been resolved. The code that was vulnerable is actually open source for anyone that wants to take a look.
http://github.com/mzsanford/twitter-text-rb/commit/cffce8e60b7557e9945fc0e8b4383e5a66b1558f
Just seen it running around twitter then, hilarious that such a big company can get something so elemental in web-app security wrong...
ReplyDelete