November 14, 2009

Twitter XSS

Not sure if some people noticed, but an interesting XSS vector was found affecting the Twitter web site last November, by Rosario Valotta. When Rosario contacted me, I couldn't believe when looking at the XSS payload. After some talking, I suggested the use of document.write to bypass some Twitter input filtering controls. This allowed Rosario's injection to include a <script> tag as well. The bug was also disclosed on Full-Disclosure. I just wonder about the so "many" implications of having that kind of XSS bug on Twitter. Happy to not use Twitter ;-)


Share - permalink - Comment/Contact me