14 DAY TRIAL // A security researcher who recently reported a DOM-based XSS vulnerability to Twitter, reveals that after taking three shots at fixing it, the site's developers still got it wrong.
During the recent mayhem generated by the Twitter XSS worm, security researcher Stefano Di Paola of Minded Security came across a separate cross-site scripting bug affecting the platform.
The vulnerable code allowed for rogue JavaScript to be executed by appending it after the "#!" pair of characters at the end of Twitter URLs.
"The DOM Based Xss will be triggered by simply going to: http://twitter.com/#!javascript:alert(document.domain);" the researcher exemplifies.
Unlike the person who unleashed the recent XSS worm, Di Paola acted responsible and reported the flaw to Twitter.
However, when he checked a few hours later, he found that the patch implemented by Twitter's developers relied on the unreliable practice of blacklisting.
The technical details are fully explained on his blog, but the bottom line is the fix could easily be bypassed by using two semicolons in the URL instead of one.
Threfore, Di Paola emailed Twitter again with information regarding the bypass and some suggestions for a better patch.
The next morning he woke up to find the fix revised, but to his surprise it only worked properly in Firefox. After yet another try, Twitter came up with a more reliable fix, but by no means perfect.
"Still not the best, IMHO, but at least it works...well, until there will be a bypass. Also, since the patch just blocks ':' still remains an arbitrary redirect issue," the researcher says.
What he means is that opening twitter.com#!//[url] will redirect the browser to the [url]. This can potentially be exploited to enhance the credibility of phishing attacks.
This is not the first time when Twitter messes up an XSS fix. Last August we reported on a similar incident, where a security enthusiast found that Twitter's patch for the flaw he reported could be easily defeated.