Friday, July 17, 2009

MoTB #17: Persistent XSS vulnerability in mobypicture

What is mobypicture
"Directly share your photos, text, audio and videos with all your friends on your favorite social sites: facebook, twitter, flickr, vimeo, and more!" (mobypicture home page)

Twitter effect
mobypicture can be used to send tweets by uploading new photos, or posting comments on existing photos.
mobypicture is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Yet another Twitter photo sharing service. 27th place in the most used twitter clients, according to “TwitStats” - 3 twits

Vulnerability: Persistent Cross-Site in mobypicture picture view page.
Status: Patched.
Details: mobypicture did not encode HTML entities of the uploaded picture details (title, description, etc.), which could have allowed the injection of scripts.
This vulnerability could have allowed an attacker to send tweets on behalf of its victims.

Vendor response rate
The vulnerability was fixed 2 hours after it has been reported. Excellent - 5 twits.


Post a Comment

<< Home