Thursday, July 23, 2009

MoTB #23: TwitterCounter/TwitterRemote Reflected XSS vulnerabilities

What is TwitterCounter
"Just as TwitterCounter could be described as Feedburner for Twitter you could say that TwitterRemote is like MyBlogLog for Twitter. " (TwitterCounter about page)


Twitter effect
TwitterCounter can be used to send new tweets and reply to other Twitter users.
TwitterCounter is using OAuth authentication method in order to utilize the Twitter API.


Popularity rate
Over 830,000 unique visitors per month (According to Compete) - 4 twits



1) Vulnerability: Reflected Cross-Site Scripting in the Country page.
Status: Unpatched.
Details: The TwitterCounter country page does not encode HTML entities in the "timezone" variable, which can allow the injection of scripts.
The vulnerability was also submitted, and publicly disclosed by d3v1l.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://twittercounter.com/pages/country?time_zone=XXX%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E


2) Vulnerability: Reflected Cross-Site Scripting in the iframe.php page.
Status: Unpatched.
Details: The TwitterRemote iframe.php page does not encode HTML entities in the query variables, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://twittercounter.com/remote/iframe.php?username_owner=xxx&users_id=3351429&nr_show=6&hr_color=cccccc&a_color=709cb2&bg_color=;color:expression(alert('xss'))
Screenshot:



Vendor response rate
The vendor did not respond to any of the emails I sent during the past week - 0 twits.

0 Comments:

Post a Comment

<< Home