MoTB #10: CSRF+XSS vulnerabilities in Twitiq

What is Twitiq
"TwitIQ is an enhanced Twitter interface that provides insight into your Twitter stream and Twitter followers." (Twitiq home page)


Twitter effect
Twitiq can be used to send tweets, direct messages and follow/unfollow other Twitter users.
Twitiq is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
A new 3rd party service, which already gained 5K unique visitors per month (according to Compete)- 1 twit


Vulnerability: Cross-Site Request Forgery and Cross-Site Scripting in jsonp.php.
Status: Patched.
Details: The Twitiq jsonp.php web page did not use authenticity code in order to validate that the HTTP post is coming from the Twitiq web application. Also, the jsonp.php did not encode HTML entities in the "jcb" variable.
Both vulnerabilities could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of it's victims.
Proof of Concept: http://www.twitiq.com/jsonp.php?jcb=%3Cscript%3Ealert("xss")%3C%2Fscript%3E&action_jsonp=new_status&status=CSRF
Screenshots:



Vendor response rate
The vulnerabilities were fixed within 1 hour after they have been reported. Excellent - 5 twits.

MoTB #04: CSRF in BigTweet

What is BigTweet
"BigTweet was developed by Scott Carter (@scott_carter) as a way to interact more effectively with various networks from the Web. When you click on the BigTweet bookmarklet, a window appears in the middle of your current web page. Use it to post to Twitter or FriendFeed and then return to what you were doing. It doesn't get any faster." (BigTweet home page)


Twitter affect
BigTweet can be used to send tweets from any web page by using a bookmarklet.
BigTweet is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
While Bigtweet is not on any of the top Twitter services lists, it has an easy to integrate bookmarklet interface - 1 twit


Vulnerability: Cross-Site Request Forgery in BigTweet upate.json.
Status: Patched.
Details: The bigtweet update.json web page did not use authenticity code in order to validate that the HTTP post is coming from the bigtweet web application.
Screenshots:



Note: While the proof-of-concept in the screenshots used the "xxx" twitter user, the page will actually send a tweet for the currently logged-in user (in the PoC - @avivra). Any bigtweet.com registered user could have been used instead of xxx.


Vendor response rate
Vulnerability was fully fixed 22 hours after it has been reported.
Scott Carter, the developer of BigTweet, is also the one who came up with the idea of having a security best practices document for API developers. Alex Payne from Twitter has written such document last week. Excellent - 5 twits.