Saturday, October 2, 2010

XSS hack on Twitter

A security researcher from Indonesia had discovered a persistent XSS vulnerability also called script injection on twitter dot com. With this hack, a malicious individual could exploit user account or infect them with spyware, malware and adware..Soon this is been reported to twitter secuirity team and corrected..
This hack is majorly due to lack of input validation of the application name field when accepting new requests for Twitter applications. Visiting his account on Twitter results in a pair of classic cross site scripting alert boxes, then your browser is manipulated, finally you enter the matrix (see below), and get messages from the researcher who found the vulnerability.
this interesting paper walks you through the attack scenario in steps...
As demonstrated in the past, XSS vulnerabilities in Twitter have been successfully used to take over accounts and create worms (Mikeyy, StalkDaily). Infection (account takeover) can be accomplished simply by visiting a profile with an include of a malicious Javascript, making a true self propagating web site worm possible as opposed to other more recent attacks based on phishing a user’s credentials with a fake Twitter login screen.This might be Twitter’s first serious cross site scripting vulnerability since the beginning of this year. Twitter has to correct this quickly as it was public knowledge before this post, and has been for days.