Saturday, July 25, 2009

MoTB #25: CSRF+XSS vulnerabilities in TwitStat

What is TwitStat
TwitStat provides a mobile web interface for Twitter.


Twitter effect
TwitStat can be used to send tweets, direct messages and follow/unfollow other Twitter users.
TwitStat is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
30th place in the most used twitter clients list, according to “TwitStat” - 3 twits


Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The TwitStat index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the TwitStat web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.

2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The TwitStat search page did not encode HTML entities in the "terms" form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: http://www.twitstat.com/m/index.php?mode=search&terms=xxx%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E
Screenshot:



Vendor response rate
The vulnerabilities were fixed 5 days after they have been reported. Moderate - 3 twits.

0 Comments:

Post a Comment

<< Home