Confirmed Twitter XSS Vulnerability

 |  Geek, Interwebs

Just to confirm, my picture post guessing at a potential XSS vulnerability from over 3 hours ago proved itself to be exactly that.

The vulnerability is caused by URLs not being cleaned/escaped properly. By adding JavaScript to the end of a URL, you can effectively execute whatever you like as long as it’s within 140 chars (including pretty rainbow coloured tweets). Unfortunately, this is no limiter though; by calling upon the powers of JavaScript libraries you can reference external JS files that then cause more damage. Tweeting rainbows is harmless enough, but JavaScript is pretty powerful and can be used to obtain session tokens, follow people you don’t want to be following, send DMs and tweets, etc.

The safest thing to do at this point in time is to simply avoid the website. Non-web/non-JavaScript clients are risk free, and may enable you to delete any RTs etc that you may have inadvertently spread. You can also use the Firefox NoScript extension to block which is nice and safe, but basically breaks the twitter website.

You can now give me cookies for calling this first.

Jem Turner +44(0)7521056376

6 comments so far

  1. Carly said:

    Hmm Jem, you seem to know an awful lot about this AND you found the rainbow account hours before anybody else heard about the attacks – I suspect YOU are the rainbow Twittererer! :D

  2. Jem said:

    @Rhys: hahah, I wasn’t being serious about being first, this has been around for ages in theory. The thing is, they’ve fixed the code but haven’t rolled it out yet.

  3. Georgina said:

    *truck comes by your house with a lifetime supply of cookies, individually wrapped in gold foil*

    Thanks for this, Jem. Curiosity got the better of me in those rainbow tweets. ;_;

  4. James said:

    a lot of hackers / coders whatever you wanna call them aren’t malicious and its more about the skill and recognition. big up the rainbow! lol. *remembers Oh my God! look at that RAINBOW video …*