Wednesday, July 1, 2009

MoTB #01: Multiple vulnerabilities in service

What is
" allows users to shorten, share, and track links (URLs). Reducing the URL length makes sharing easier. can be accessed through our website, bookmarklets and a robust and open API. is also integrated into several popular third-party tools such as Tweetdeck." ( about page)

Twitter affect can be used to send tweets with the shortened URLs through a form on their website, or a simple GET request. is using the OAuth authentication tokens in order to send tweets via the Twitter API.

Popularity rate
Second most popular URL shortening service in the wild - 4.5 twits

1) Reflected Cross-Site Scripting in the “url” query parameter.
Status: Patched.
Details: This vulnerability was first reported by Mario Heiderich on May 18th 2009, on twitter.
A week later, I found that this vulnerability got fixed. Unfortunately, after playing with it a bit, I figured that it was only partially fixed. Instead of encoding the HTML entities, developers have decided to strip the <> characters. E.g. this proof-of-concept would have popup an alert on IE7:
The following is the screenshot of the PoC:

Several days ago, after a long discussion with Mario, has finally fully fixed this vulnerability.

2) Reflected Cross-Site Scripting in the keywords parameter.
Status: Patched.
Details: This vulnerability was reported by Mike Bailey on June 24th 2009. See Mike's advisory for more details:
This vulnerability was fixed by yesterday.

3) Reflected POST Cross-Site Scripting in the username field of the login page
Status: Patched
Details: This vulnerability was reported by Mario Heiderich. See Mario’s advisory for more details:
This vulnerability was fixed by yesterday.

4) Persistent Cross-Site Scripting in the content-type field of the URL info page
Status: *Unpatched* Patched.
Details: This vulnerability was submitted by Mike Bailey on June 25th 2009.
Whenever a URL of a website gets shortened by service, an information page is created for the URL, with statistics and metadata about the website.
One of the metadata information being stored by is the content-type response header of the shortened URL page. This information of-course can be easily changed. fails to encode HTML entities while displaying the content-type information, and therefore allows injection of scripts to the page.
Live proof-of-concept can be found here:
Screenshot of the PoC (just in case the live demo will be removed):

Vendor response rate
It took a month and a half to fix simple XSS vulnerabilities. Very poor - 0.5 twits.

In conclusion has a large user base (who doesn't click links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs...

[Update - 3 hours into Month of Twitter Bugs] have finally fixed the last vulnerability.

Labels: , ,


Blogger Freemor said...

Thanks for all the hard work and for posting the results

Muchly appreciated

July 1, 2009 4:44 PM  
Anonymous Anonymous said...

heh, just tweeted about this with the full URL and twitter auto-shortened it using ...

July 1, 2009 6:28 PM  
Blogger Todd said...

All of the previously mentioned vulnerabilities have been patched. The vulnerabilities disclosed prior to the MOTB were patched before the start of the MOTB.

In addition, we've done a broad security scrub that patched items beyond the purview of the MOTB submissions. We have also patched a bug posted on Aviv's blog that was previously undisclosed.

While we would have appreciated the 24 hours advance notice described in the guidelines, we appreciate the heads up! I'd like to mention that Mario, who submitted the initial MOTB vulnerabilities, has been helpful throughout the process.

July 1, 2009 6:55 PM  
Blogger Matteo Carli said...

Hi great work, but how this bug was reflected to Twitter users?
I played with this XSS in past days and nothing impact domain. Isn't it?

Twitter have a service for convert short URL into long url ( but this service prevent to convert URL where there are non safe char.

July 1, 2009 9:25 PM  
Anonymous Anonymous said...

If Twitter wasn't lame enough, your going to post a month of FIXED bugs? Oh joy... I'll be in my pool :P

July 1, 2009 10:26 PM  
Blogger Martin H said...

Not all are fixed,
Here is my contribution

Bit.Ly still have many bugs around their site.

Hopefully this will be quicker than a month to fix Bit.Ly Owned by

Notified them Today
Martin H
The Test Manager

July 1, 2009 10:38 PM  
Blogger Todd said...


We've patched that hole. Thanks for the heads up.

July 2, 2009 1:01 AM  
Blogger Martin H said...

Very quick and impressive.
(time from reporting to fix about 2 and half hours.

nice one Guys.


July 2, 2009 1:33 AM  
Anonymous Dorival said...

Excelent article (and initiative).

I'm testing all things here in my own url redirection service ( to be sure that it is "secure" as my slogan says.


July 2, 2009 5:56 AM  
Blogger Matteo Carli said...

My error, use twitter API and save twitter account credential into its DB. So this XSS is nice ;-)

July 2, 2009 9:53 AM  

Post a Comment

<< Home