TwitPwn

MoTB Halftime Statistics Report

2009-07-16T20:33:00.009+03:00

I've decided to gather and publish some statistics for the first 15 days of "Month of Twitter Bugs".
There were 35 vulnerabilities disclosed for 15 different Twitter 3rd-party services.
12 of the 35 vulnerabilities were 0days (11 of them disclosed in the blog comments), which means there was no patch available at the time they were disclosed.
7 of those 0day vulnerabilities are still unpatched!
The average fix time for a vendor (not including bit.ly) is 18 hours.
The following pie chart shows the types of vulnerabilities found in MoTB.

As a bonus for the "Halftime statistics report", I would like to present a bug that was submitted by Laurent Gaffie: Twitter Search Web Server Information Leakage.
The Twitter search server did not block access to the ".htaccess" file, which revealed the configuration of the Twitter search web server, including a block list of IPs (spammers?).
Status: Fixed.
Screenshot:

While this bug is nothing compared to the recent Twitter servers/employees hack disclosure, it still shows that Twitter needs to hire a security engineer, and fast!

MoTB #15: CSRF+XSS vulnerabilities in Slandr

2009-07-15T21:09:00.005+03:00

What is Slandr
"Slandr delivers an enhanced mobile site for twitter, with: replies, direct messaging, etc.." (Slandr about page)

Twitter effect
Slandr can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Slandr is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
27th place in the most used twitter clients, according to “TwitStats” - 3 twits

Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The Slandr index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Slandr web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.

2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The Slandr search page did not encode HTML entities in the "search" form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: http://tweetmeme.com/search.php?for=%3C/title%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E%3Ctitle%3E
Screenshot:

Vendor response rate
The vendor have published a blog post about these vulnerabilities.
The vulnerabilities were fixed 2 days after they have been reported. Good - 4 twits.

MoTB #14: Reflected XSS in TweetMeme

2009-07-14T20:29:00.002+03:00

What is TweetMeme
"TweetMeme is a service which aggregates all the popular links on twitter to determine which links are popular. TweetMeme is able to categorize these links into categories and subcategories, making it easy to filter out the noise to find what your interested in." (TweetMeme about page)

Twitter effect
TweetMeme can be used to send new tweets and reply to other Twitter users.
TweetMeme is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
6.5 Million unique visitors per month (According to Compete) - 4.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The TweetMeme search page did not encode HTML entities in the "for" variable, which could have allowed the injection of scripts.
The vulnerability was also submitted, and publicly disclosed by d3v1l.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweetmeme.com/search.php?for=%3C/title%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E%3Ctitle%3E
Screenshot:

Vendor response rate
Vulnerability was fixed 2 hours after it has been reported. Excellent - 5 twits.

MoTB #13: Reflected XSS in Brightkite

2009-07-13T20:09:00.004+03:00

What is Brightkite
"Brightkite is a location-based social network. In real time you can see where your friends are and what they're up to. Depending on your privacy settings you can also meet others nearby." (Brightkite home page)

Twitter effect
Brightkite can be used to send new tweets and reply to other Twitter users.
Brightkite is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
16th place in the most used twitter clients, according to “TwitStats” - 4 twits

Vulnerability: Reflected Cross-Site in the "Person not found" page.
Status: Patched.
Details: The Brightkite "Person not found" page did not encode HTML entities in the people query variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://brightkite.com/people/zxxx%22%3E%3Cbody%20onload=%22alert(%27xss%27)%22%3E
Screenshot:

Vendor response rate
Vulnerability was fixed 1 hour after it has been reported. Excellent - 5 twits.

MoTB #12: Reflected XSS in TweetGrid

2009-07-12T20:32:00.005+03:00

What is TweetGrid
"TweetGrid is a powerful Twitter Search Dashboard that allows you to search for up to 9 different topics, events, converstations, hashtags, phrases, people, groups, etc in real-time. As new tweets are created, they are automatically updated in the grid. No need to refresh the page!" (TweetGrid FAQ page)

Twitter effect
TweetGrid can be used to send new tweets and reply to other Twitter users.
TweetGrid is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
28th place in the Top 100 Twitter Services, according to “The Museum of Modern Betas” - 3.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The TweetGrid search page did not encode HTML entities in the "q" variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweetgrid.com/search?q=xxx%3C%2Ftitle%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E
Screenshot:

Vendor response rate
Vulnerability was fixed 1 hour after it has been reported. Excellent - 5 twits.

MoTB #11: Twitturly Persistent XSS

2009-07-11T20:18:00.005+03:00

What is Twitturly
"Twitturly tracks the URLs flying around the Twitterverse and provides a quick, real-time view of what people are talking about on Twitter." (Twitturly about page)

Twitter effect
Twitturly can be used to send tweets to other Twitter users.
Twitturly is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
19th place in the Top 100 Twitter services of The Museum of Modern Betas Labs - 4 twits

Vulnerability: Persistent Cross-Site in Twitturly URLs view page.
Status: Patched.
Details: Twitturly did not encode HTML entities in the un-shortened URLs it displays, which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Screenshot:

Vendor response rate
The vulnerability was fixed 2 hours after it has been reported. Excellent - 5 twits.

MoTB #10: CSRF+XSS vulnerabilities in Twitiq

2009-07-10T19:09:00.006+03:00

What is Twitiq
"TwitIQ is an enhanced Twitter interface that provides insight into your Twitter stream and Twitter followers." (Twitiq home page)

Twitter effect
Twitiq can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Twitiq is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
A new 3rd party service, which already gained 5K unique visitors per month (according to Compete)- 1 twit

Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting in jsonp.php.
Status: Patched.
Details: The Twitiq jsonp.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Twitiq web application. Also, the jsonp.php did not encode HTML entities in the "jcb" variable.
Both vulnerabilities could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of it's victims.
Proof of Concept: http://www.twitiq.com/jsonp.php?jcb=%3Cscript%3Ealert("xss")%3C%2Fscript%3E&action_jsonp=new_status&status=CSRF
Screenshots:

Vendor response rate
The vulnerabilities were fixed within 1 hour after they have been reported. Excellent - 5 twits.

MoTB #09: Reflected POST XSS vulnerability in Twellow

2009-07-09T21:29:00.005+03:00

What is Twellow
"From our home at Twellow headquarters, we're actively searching and categorizing millions of inter-personal exchanges available on the internet every day. Twellow.com is thereby able to assist you in finding real people who really matter. We're doing the hard work of sifting out people who can help bring your vision to reality, whatever that vision might be." (Twellow about page)

Twitter effect
Twellow can be used to follow and unfollow other twitter users.
Twellow is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Indexing 6.2 million Twitter profiles, with over 175K unique visitors per month (according to Compete) - 4 twits

Vulnerability: Reflected POST Cross-Site Scripting in the Contact page.
Status: Patched.
Details: Twellow does not encode HTML entities in the form fields of the Contact page, which can allow the injection of scripts by submitting a rouge HTML form to the page.
This vulnerability could have allowed an attacker to automatically follow or unfollow other twitter users on behalf of its victims.
Screenshots:

Vendor response rate
The vulnerabilities were fixed 1 day after they were reported, although it took them 4 days to response to the initial email. Good - 4 twits.

MoTB #08: DOM Based XSS in Twitterfall

2009-07-08T20:25:00.006+03:00

What is Twitterfall
"Twitterfall is a way of viewing the latest 'tweets' of upcoming trends and custom searches on the micro-blogging site Twitter. Updates fall from the top of the page in near-realtime.." (Twitterfall home page)

Twitter affect
Twitterfall can be used to send tweets, replies or follow other twitter users.
Twitterfall is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
22nd place according to "The Museum of Modern Betas". 18th place according to compete - 3.5 twits

Vulnerability: DOM Based Cross-Site Scripting in the main page.
Status: Patched.
Details: The Twitterfall main page did not encode HTML entities in the "trend" variable before evaluating it in JavaScript. This could allow the injection of scripts, which could have been used by an attacker to send tweets on behalf of its victims. The older site of Twitterfall (old.twitterfall.com) was also vulnerable to the same issue.
Proof-of-Concepts:
http://www.twitterfall.com/?trend=%3Cimg/src%3D"."/onerror%3D"alert('xss')"%3E
http://old.twitterfall.com/?trend=%3Cscript%3Ealert("XSS")=%3C/script%3E
Screenshots:

Vendor response rate
The vulnerabilities were fixed 3 hours after they were reported. Excellent - 5 twits.

MoTB #07: Reflected XSS vulns in yfrog

2009-07-07T22:00:00.012+03:00

What is yfrog
"yfrog is a service run by ImageShack that lets you share your photos on and videos on Twitter." (yfrog FAQ page)

Twitter affect
yfrog can be used to send tweets by uploading new photos, or posting comments on existing photos.
yfrog is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
A competitor to TwitPic in the Twitter photo sharing market. Owned and operated by the popular ImageShack photo sharing service provider - 4 twits

Vulnerability: Reflected Cross-Site Scripting in the Upload and Search pages.
Status: Patched.
Details: The yfrog picture upload page does not encode HTML entities in the "url" variable, which can allow the injection of scripts. Similar vulnerability exists in the "s" variable of the yfrog Search page.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Proof-of-Concepts:
http://yfrog.com/?url=xxx">%3Cscript%3Ealert%28"xss"%29%3C%2Fscript%3E
http://yfrog.com/search.php?s=%3Cscript%3Ealert%28/xss/%29%3C%2Fscript%3E
Screenshots:

Vendor response rate
The vulnerabilities were fixed 3 hours after they were reported. Excellent - 5 twits.

MoTB #06: Multiple vulnerabilities in TwitPic

2009-07-06T21:07:00.010+03:00

What is TwitPic
"TwitPic lets you share photos on Twitter." (TwitPic home page)

Twitter affect
TwitPic can be used to send tweets by uploading new photos, sending them via email, or posting comments on existing photos.
TwitPic is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Most popular Twitter photo sharing service. Most visited Twitter 3rd party website, according to Compete - 5 twits

Vulnerabilities
1) Cross-Site Request Forgery in the Email PIN Settings page.
Status: Patched.
Details: This vulnerability was reported by dblackshell. See dblackshell's advisory for more details: http://insanesecurity.info/blog/twitpic-modern-twitter-backdoor

Few days before "Month of Twitter Bugs" has started, attackers found Britney Spears' TwitPic email PIN number by using a brute force attack (which was also fixed by TwitPic).
Instead, they could have easily used this CSRF vulnerability in order to tweet the fake death announcement.

2) Cross-Site Request Forgery in the comments form.
Status: Patched
Details: The comments form on each TwitPic picture web page did not use authenticity code in order to validate that the HTTP request POST is coming from the TwitPic web application.
This could have been used by an attacker to send comments on behalf of its victims, which could have also tweet the comments in Twitter.

3) Persistent Cross-Site Scripting in the TwitPic profile page.
Status: Patched.
Details: This vulnerability was first reported to TwitPic on May 18th 2009, and posted on my blog.
TwitPic did not encode HTML entities in the information it imported from the Twitter profile, and displayed in the TwitPic profile.
Screenshot:

Vendor response rate
It took TwitPic only an hour to fix the vulnerabilities. Excellent - 5 twits.

In conclusion
TwitPic has a large user base, and I'm happy that they are taking security very seriously. They also take the blame when needed. I'll keep using TwitPic as my main Twitter photo sharing service.

MoTB #04: CSRF in BigTweet

2009-07-04T23:49:00.005+03:00

What is BigTweet
"BigTweet was developed by Scott Carter (@scott_carter) as a way to interact more effectively with various networks from the Web. When you click on the BigTweet bookmarklet, a window appears in the middle of your current web page. Use it to post to Twitter or FriendFeed and then return to what you were doing. It doesn't get any faster." (BigTweet home page)

Twitter affect
BigTweet can be used to send tweets from any web page by using a bookmarklet.
BigTweet is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
While Bigtweet is not on any of the top Twitter services lists, it has an easy to integrate bookmarklet interface - 1 twit

Vulnerability: Cross-Site Request Forgery in BigTweet upate.json.
Status: Patched.
Details: The bigtweet update.json web page did not use authenticity code in order to validate that the HTTP post is coming from the bigtweet web application.
Screenshots:

Note: While the proof-of-concept in the screenshots used the "xxx" twitter user, the page will actually send a tweet for the currently logged-in user (in the PoC - @avivra). Any bigtweet.com registered user could have been used instead of xxx.

Vendor response rate
Vulnerability was fully fixed 22 hours after it has been reported.
Scott Carter, the developer of BigTweet, is also the one who came up with the idea of having a security best practices document for API developers. Alex Payne from Twitter has written such document last week. Excellent - 5 twits.

MoTB #03: TwitWall Persistent XSS

2009-07-02T23:48:00.007+03:00

What is TwitWall
"TwitWall is the easy-to-use, quick-to-blast-out, instant blog companion for Twitter. With TwitWall, you can embed your favorite videos and widgets, upload your photos, mp3 music or podcasts, - you name it.." (TwitWall home page)

Twitter affect
TwitWall can be used to send tweets and follow/unfollow other Twitter users.
TwitWall is using OAuth authentication token in order to utilize the Twitter API.

Popularity rate
Though it's here since Summer 2008, it has yet to gain enough user base to get into any of the top twitter services lists - 0.5 twits

Vulnerability: Persistent Cross-Site in TwitWall entry view page.
Status: Patched.
Details: TwitWall allows HTML to be embedded in the wall entries. According to the vendor this was done because "our users with non-malicious intentions enjoy using our html editor". Unfortunately, the entry view page does not santize scripts and events that came along with the HTML.
This vulnerability could have allowed an attacker to send tweets, follow/unfollow others on behalf of its victims.
Screenshots:

Vendor response rate
Vulnerability was fully fixed 20 hours after it has been reported. Excellent - 5 twits.

MoTB #02: Reflected XSS in HootSuite

2009-07-02T17:54:00.007+03:00

What is HootSuite
"HootSuite is the ultimate Twitter toolbox. With HootSuite, you can manage multiple Twitter profiles, add multiple editors, pre-schedule tweets, and measure your success. HootSuite lets you manage your entire Twitter experience from one easy-to-use interface." (HootSuite about page)

Twitter affect
HootSuite can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.
HootSuite is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
27th place in the Top 100 Twitter Services, according to “The Museum of Modern Betas” - 3.5 twits

Vulnerability: Reflected Cross-Site in the “add-acount” page.
Status: Patched.
Details: The HootSuite "add-account" page does not encode HTML entities in the "pageMode"
variable, which can allow the injection of scripts.
This vulnerability could allowed an attacker to send tweets, direct messages and to follow/unfollow others on behalf of its victims.
Proof-of-Concept: http://hootsuite.com/twitter/add-account?height=240&width=280&modal=true&pageMode=xxx%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:

Vendor response rate
Vulnerability was fixed two hours after it has been reported. Excellent - 5 twits.

MoTB #01: Multiple vulnerabilities in bit.ly service

2009-07-01T16:00:00.008+03:00

What is bit.ly
"bit.ly allows users to shorten, share, and track links (URLs). Reducing the URL length makes sharing easier. bit.ly can be accessed through our website, bookmarklets and a robust and open API. bit.ly is also integrated into several popular third-party tools such as Tweetdeck." (bit.ly about page)

Twitter affect
bit.ly can be used to send tweets with the shortened URLs through a form on their website, or a simple GET request.
bit.ly is using the OAuth authentication tokens in order to send tweets via the Twitter API.

Popularity rate
Second most popular URL shortening service in the wild - 4.5 twits

Vulnerabilities
1) Reflected Cross-Site Scripting in the “url” query parameter.
Status: Patched.
Details: This vulnerability was first reported by Mario Heiderich on May 18th 2009, on twitter.
A week later, I found that this vulnerability got fixed. Unfortunately, after playing with it a bit, I figured that it was only partially fixed. Instead of encoding the HTML entities, bit.ly developers have decided to strip the <> characters. E.g. this proof-of-concept would have popup an alert on IE7:
htttp://bit.ly/?url="%20style="color:expression(document.body.onload=function()%20{alert(1)})
The following is the screenshot of the PoC:

Several days ago, after a long discussion with Mario, bit.ly has finally fully fixed this vulnerability.

2) Reflected Cross-Site Scripting in the keywords parameter.
Status: Patched.
Details: This vulnerability was reported by Mike Bailey on June 24th 2009. See Mike's advisory for more details: http://skeptikal.org/2009/06/parsing-quirk-causes-bitly-xss.html
This vulnerability was fixed by bit.ly yesterday.

3) Reflected POST Cross-Site Scripting in the username field of the login page
Status: Patched
Details: This vulnerability was reported by Mario Heiderich. See Mario’s advisory for more details: http://heideri.ch/bit.ly.txt
This vulnerability was fixed by bit.ly yesterday.

4) Persistent Cross-Site Scripting in the content-type field of the URL info page
Status: ~~*Unpatched*~~ Patched.
Details: This vulnerability was submitted by Mike Bailey on June 25th 2009.
Whenever a URL of a website gets shortened by bit.ly service, an information page is created for the URL, with statistics and metadata about the website.
One of the metadata information being stored by bit.ly is the content-type response header of the shortened URL page. This information of-course can be easily changed.
bit.ly fails to encode HTML entities while displaying the content-type information, and therefore allows injection of scripts to the page.
Live proof-of-concept can be found here: http://bit.ly/info/JvH83
Screenshot of the PoC (just in case the live demo will be removed):

Vendor response rate
It took bit.ly a month and a half to fix simple XSS vulnerabilities. Very poor - 0.5 twits.

In conclusion
bit.ly has a large user base (who doesn't click bit.ly links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs...

[Update - 3 hours into Month of Twitter Bugs] bit.ly have finally fixed the last vulnerability.

Month of Twitter Bugs

2009-06-15T20:42:00.002+03:00

July 2009 will be Month of Twitter Bugs.
This blog will be used for posting the vulnerabilities.
More details here: http://aviv.raffon.net/2009/06/15/MonthOfTwitterBugs.aspx

Twitter Leak

2009-01-14T22:14:00.002+02:00

Gareth Heyes demonstrated on his blog that by exploiting a weakness in JSON, it is possible to extract the twits of the visitor's friends.

Twitter have fixed this issue, by making authentication on the friends timeline mandatory, as is already on other pages with sensitive information.
Giorgio Maone, the creator of NoScript, shows that the JSON weakness can still be demonstrated on the public timeline page. Fortunately, this page is intended for public information.

Malware on Twitter

2008-08-04T22:54:00.010+03:00

Well, it seems like it didn't take that long for the malware authors to notice the opportunity in abusing Twitter as a malware distribution platform.
According to Kaspersky Labs:
"...This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.

If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular..."

Unfortunately, the auto-follow-me vulnerability is still exploitable for Internet Explorer users. I'm still withholding the technical details of this vulnerability in a hope that it won't be exploited in the wild, more than it was probably already did.

Coming up: Auto-follow-me vulnerabilty

2008-07-31T22:01:00.006+03:00

Twitter suffers from a vulnerability which allows an attacker to force his victim to follow him automatically.

Twitter security team was notified on 31-July-2008.
Twitter partially fixed this vulnerability on 01-Aug-2008. The vulnerability can still be exploited on Internet Explorer. Users of other browsers are safe.
Twitter delivered a fix for IE on 04-Aug-2008. Fixed was verified on 11-Aug-2008(sorry, BlackHat/Defcon duties).

Technical details will be added soon...

tweet-spam-click-pwn

2008-07-31T21:48:00.002+03:00

Twitter can be abused to send SPAM emails with links to potentially malicious websites.
This can be done because of the way Twitter sends mails to the users, and because twitter does not sanitize the full name of the user.
So, if for example, an attacker sets his full name to http://www.twitpwn.com/ and follow his victim, the victim will get an email. Now, because Twitter sends the email as “plain text”, the attacker’s name will be a clickable link. A *potentially malicious* clickable link.

Twitter security team was notified on 26-July-2008.
Twitter fixed this vulnerability on 31-July-2008.
Note that now you cannot use a dot in your full name (e.g. Bill.Gates). This will bring an error: "Name must not contain URLs".

Welcome

2008-07-31T20:51:00.006+03:00

This blog is intended to log all past and current vulnerabilities and weaknesses in Twitter.

Feel free to submit new vulns to submit@twitpwn.com
All submitted vulnerabilities will be fully credited when posted.