Tuesday, 21 September 2010

Twitter XSS Vulnerabiliy

Twitter earlier today had a XSS vulnerability in the way they process the URL's in their tweet.As described here when you tweet some URL on Twitter , it identifies and displays it. The Twitter doesn't check the url properly and quotes in particular which allows us to run custom Javascript code.
For example in this URL http://www.blah.com/”onmouseover=alert(‘You are hacked’) would display an alert box when you move over mouse on the link. The alert box can be replaced with any custom javascript to redirect users to malicious websites. According to the recent update Twitter have fixed this flaw. This is just an example of how a small sanity check error by developer could lead into a security disaster.

No comments:

Post a Comment