Thursday, July 16, 2009

MoTB #16: HelloTxt Persistent XSS

What is HelloTxt
"HelloTxt lets you update your status and read your friends' status across all main microblogging and social networks all at once." (HelloTxt about page)


Twitter effect
HelloTxt can be used to send tweets to other Twitter users.
HelloTxt is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
16th place in the Top 100 Twitter services of The Museum of Modern Betas Labs - 4 twits



Vulnerability: Persistent Cross-Site in HelloTxt profile page.
Status: Patched.
Details: HelloTxt did not encode HTML entities in the username information updated by the user, which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.
Screenshot:



Vendor response rate
The vulnerability was fixed 3 days after it has been reported. Moderate - 3 twits.

1 Comments:

Blogger d3v1l said...

another XSS on login module,
check -> http://m.hellotxt.com

http://img21.imageshack.us/img21/4417/39200530.png

July 16, 2009 11:46 PM  

Post a Comment

<< Home