Wednesday, July 22, 2009

MoTB #22: CSRF in StockTwits

What is StockTwits
"StockTwits is an open, community-powered idea and information service for investments. Users can eavesdrop on traders and investors, or contribute to the conversation and build their reputation as savvy market wizards. The service takes financial related data - using Twitter as the content production platform - and structures it by stock, user, reputation, etc." (StockTwits about page)


Twitter affect
StockTwits can be used to send tweets and follow other Twitter users.
StockTwits is using OAuth authentication method in order to utilize the Twitter API.


Popularity rate
82nd place according to "The Museum of Modern Betas". - 2 twit



Vulnerability: Cross-Site Request Forgery in the update JSON page.
Status: Patched.
Details: The StockTwits update JSON page did not use authenticity code in order to validate that the HTTP post is coming from the StockTwits web application.
Screenshots:




Vendor response rate
The vulnerability was fully fixed 22 hours after it has been reported. Excellent - 5 twits.

1 Comments:

Blogger derv0 @ nubisci dot net said...

haha. nice catch avivra!!!

July 24, 2009 5:24 PM  

Post a Comment

<< Home