After a critical Twitter cross-site scripting vulnerability was recently discovered
and reported on, the website's security team rushed to address it. Subsequent scrutiny of the patch exposed it as being a seriously inadequate fix that can be circumvented with ease to continue injecting malicious code into tweets.
The flaw was disclosed by SEO specialist James Slater on Tuesday and is the result of improper input validation in the "Application Website" field of the form used to add third-party Twitter clients. More specifically, this field, normally designed to receive URLs, actually allows passing markup code that gets embedded at the end of every tweet.
"Their form did no - or some very, very basic - checking on what you enter in the box. I pointed this out in the article yesterday and they have since attempted to fix it. However, Twitter have completely missed the point," announces
Apparently, Twitter's solution involved nothing more than to prevent white spaces being passed inside the input. While it's true that the SEO specialist stumbled across the flaw while attempting to circumvent Twitter's default nofollow policy by passing a rel="external" parameter after the URL, the vulnerability's scope is actually much larger and whoever "fixed" the problem failed to understand that.
Until the Twitter staff wrap their heads around this vulnerability and properly address it, users of the micro-blogging platform can take several steps to protect themselves from such rogue content. First of all, viewing tweets without being logged in can protect one account from being compromised, but other malicious attacks remain possible. It is still a good practice whenever possible.
Posting and reading tweets from a third-party application and not directly from Twitter's website can also assure some level of protection depending on the program used. Furthermore, browser extensions such as NoScript
for Firefox do a fairly good job at blocking XSS attacks at the browser level and not only for Twitter. Obviously, having a solid and complete antivirus solution installed on the computer is also a good idea and can block web exploitation attempts.
"This isn’t the first time we’ve found vulnerabilities in Twitter… I wonder how many more there are out there? We got no response from them yesterday either, which is a shame. We don’t want to stop using their service because we’re worried about security, and I’m sure we’re not the only ones," concludes James Slater.