Thursday, July 9, 2009

MoTB #09: Reflected POST XSS vulnerability in Twellow

What is Twellow
"From our home at Twellow headquarters, we're actively searching and categorizing millions of inter-personal exchanges available on the internet every day. is thereby able to assist you in finding real people who really matter. We're doing the hard work of sifting out people who can help bring your vision to reality, whatever that vision might be." (Twellow about page)

Twitter effect
Twellow can be used to follow and unfollow other twitter users.
Twellow is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Indexing 6.2 million Twitter profiles, with over 175K unique visitors per month (according to Compete) - 4 twits

Vulnerability: Reflected POST Cross-Site Scripting in the Contact page.
Status: Patched.
Details: Twellow does not encode HTML entities in the form fields of the Contact page, which can allow the injection of scripts by submitting a rouge HTML form to the page.
This vulnerability could have allowed an attacker to automatically follow or unfollow other twitter users on behalf of its victims.

Vendor response rate
The vulnerabilities were fixed 1 day after they were reported, although it took them 4 days to response to the initial email. Good - 4 twits.


Blogger d3v1l said...

and still vulnerable on user_add.php module


July 9, 2009 10:37 PM  
Anonymous Matthew Daines said...

The user_add.php vulnerability has been repaired. Thanks for pointing it out.

Matthew Daines
Twellow Lead Developer

July 10, 2009 5:16 PM  

Post a Comment

<< Home