November 14, 2009

Twitter XSS

Posted by Roberto Suggi Liverani at 9:53 AM / Labels:
Not sure if some people noticed, but an interesting XSS vector was found affecting the Twitter web site last November, by Rosario Valotta. When Rosario contacted me, I couldn't believe when looking at the XSS payload. After some talking, I suggested the use of document.write to bypass some Twitter input filtering controls. This allowed Rosario's injection to include a <script> tag as well. The bug was also disclosed on Full-Disclosure. I just wonder about the so "many" implications of having that kind of XSS bug on Twitter. Happy to not use Twitter ;-)

Link: http://sites.google.com/site/tentacoloviola/twitterhorror

Share - permalink - Comment/Contact me
Subscribe to: Posts (RSS)