Promptly fixed by Twitter after its disclosure

Jun 28, 2010 11:48 GMT  ·  By

A Twitter cross-site scripting (XSS) vulnerability reported late last week was quickly fixed by the website's security staff. The flaw might have been abused in an earlier attack that affected hundreds of Twitter accounts.

The persistent XSS bug was disclosed by an Indonesian grey hat hacker going by the online moniker of "H4x0r-x0x," who demoed it on his own Twitter account. People who visited his profile were prompted with several consecutive JavaScript alert windows giving credit to the security enthusiast. After the alerts the whole page modified to display a matrix-like background.

According to Daniel Kennedy of Praetorian Security Group, who published an in-depth analysis of the proof-of-concept attack, the hacker left a message reading "there is no crime here! I just create To smarten view my Twitter profile," suggesting that his intentions were not malicious.

This XSS vulnerability is persistent, meaning that exploitation can result in permanent changes being made to the page, subsequently affecting all users who view it. This is opposed to reflected XSS flaws, which can only affect users opening a malformed URL.

Cross-site scripting bugs are the result of improper input validation in web forms. In this case, the vulnerability was located in the name field of the Twitter application registration form. The flaw was similar to a different one discovered last August in the application URL field by a blogger named James Slater.

Dimitris Pagkalos, one of the founders of the XSSed, a project that maintains an archive of XSS flaws and raises awareness about this type of Web vulnerability, notes that Twitter's security team promptly addressed the bug. However, he suggests the vulnerability might have been used in an earlier attack that made a rogue status reading "Hacked By Turkish Hackers"  appear on almost one thousand Twitter profiles.

You can follow the editor on Twitter @lconstantin

Photo Gallery (2 Images)

Twitter XSS flaw discovered and patched
Twitter XSS flaw exploitation demo
Open gallery