tweet-spam-click-pwn
Twitter can be abused to send SPAM emails with links to potentially malicious websites.
This can be done because of the way Twitter sends mails to the users, and because twitter does not sanitize the full name of the user.
So, if for example, an attacker sets his full name to http://www.twitpwn.com/ and follow his victim, the victim will get an email. Now, because Twitter sends the email as “plain text”, the attacker’s name will be a clickable link. A *potentially malicious* clickable link.
Twitter security team was notified on 26-July-2008.
Twitter fixed this vulnerability on 31-July-2008.
Note that now you cannot use a dot in your full name (e.g. Bill.Gates). This will bring an error: "Name must not contain URLs".
This can be done because of the way Twitter sends mails to the users, and because twitter does not sanitize the full name of the user.
So, if for example, an attacker sets his full name to http://www.twitpwn.com/ and follow his victim, the victim will get an email. Now, because Twitter sends the email as “plain text”, the attacker’s name will be a clickable link. A *potentially malicious* clickable link.
Twitter security team was notified on 26-July-2008.
Twitter fixed this vulnerability on 31-July-2008.
Note that now you cannot use a dot in your full name (e.g. Bill.Gates). This will bring an error: "Name must not contain URLs".
3 Comments:
well they could use better input check rather than just verify for a dot (or more)... because the following url is also a valid one...
http://1089059683 (google)
Hi I would like to know how this works: http://1089059683
I can hardly remember how, all i can recall is that it has something to do With the DNS if Im not mistaken...
Cheers,
r00t
Anonymous,
http://www.fubby.com/http1089059683-googlecom/
Post a Comment
<< Home