14 DAY TRIAL // After a critical Twitter cross-site scripting vulnerability was recently discovered and reported on, the website's security team rushed to address it. Subsequent scrutiny of the patch exposed it as being a seriously inadequate fix that can be circumvented with ease to continue injecting malicious code into tweets.
The flaw was disclosed by SEO specialist James Slater on Tuesday and is the result of improper input validation in the "Application Website" field of the form used to add third-party Twitter clients. More specifically, this field, normally designed to receive URLs, actually allows passing markup code that gets embedded at the end of every tweet.
Furthermore, JavaScript code can be injected by placing it inside <script> tags and can then be used to perform a wide array of malicious actions, such as forcing logged in visitors to perform unwanted actions from their accounts, stealing their session cookies or trying to infect them with malware.
"Their form did no - or some very, very basic - checking on what you enter in the box. I pointed this out in the article yesterday and they have since attempted to fix it. However, Twitter have completely missed the point," announces Mr. Slater.
Apparently, Twitter's solution involved nothing more than to prevent white spaces being passed inside the input. While it's true that the SEO specialist stumbled across the flaw while attempting to circumvent Twitter's default nofollow policy by passing a rel="external" parameter after the URL, the vulnerability's scope is actually much larger and whoever "fixed" the problem failed to understand that.
There are multiple ways of avoiding using spaces in input and still achieving the desired result. For example, empty spaces can be replaced with inside URLs, or the JavaScript unescape function can be used. As long as the <script> tag can be passed in one way or another, the possibilities are endless.
Until the Twitter staff wrap their heads around this vulnerability and properly address it, users of the micro-blogging platform can take several steps to protect themselves from such rogue content. First of all, viewing tweets without being logged in can protect one account from being compromised, but other malicious attacks remain possible. It is still a good practice whenever possible.
Posting and reading tweets from a third-party application and not directly from Twitter's website can also assure some level of protection depending on the program used. Furthermore, browser extensions such as NoScript for Firefox do a fairly good job at blocking XSS attacks at the browser level and not only for Twitter. Obviously, having a solid and complete antivirus solution installed on the computer is also a good idea and can block web exploitation attempts.
"This isn’t the first time we’ve found vulnerabilities in Twitter… I wonder how many more there are out there? We got no response from them yesterday either, which is a shame. We don’t want to stop using their service because we’re worried about security, and I’m sure we’re not the only ones," concludes James Slater.