[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Twitter "swine flu" worm

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Twitter "swine flu" worm
From: Rosario Valotta <valotta.rosario@xxxxxxxxx>
Date: Sat, 14 Nov 2009 01:41:16 +0100

Hi, up to some days ago Twitter was affected by a vulnerability that allowed
the propagation of a worm what we like to call "twitter swine flu".
The vulnerability exploited by the worm was a simple Xss injected in an
error page, but what is worth noticing here is that the error page was not a
specific one, but was (and still currently is) raised when some unmanaged
Unicode chars were included in the URL.

When you try to call a specific URL and set the path or a querystring
parameter to string containing an unsupported Unicode value (for a complete
list see: http://unicode.org/charts/PDF/U0080.pdf) the webapp raised an
error page.

E.g.
http://twitter.com/%A2 --> Invalid Unicode value in parameter user

http://twitter.com/testxss/%A2 --> Invalid Unicode value in parameter id

http://twitter.com/testxss/whatever/%A2 --> Invalid Unicode value in
parameter params

http://twitter.com/testxss?a=%A2 --> Invalid Unicode value in parameter a

No control was performed on valid path/parameter names.

Moreover, in the last example, the error page echoed the parameter name
without any sanitazion/encoding. This lead to XSS.

E.g.
If the url
http://twitter.com/testxss?<script>alert('xss')</script>=%A2<http://twitter.com/testxss?%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E=%A2>was
called the error page was raised and, as no validation on parameter
name
is performed, the script was executed and an alert was raised.

The worm we developed is just a PoC that exploited this vulnerability and:

- made the victim post arbitrary tweets
- added followers to an attacker controlled account

A video of the PoC is available at:
http://sites.google.com/site/tentacoloviola/twitterhorror
and
http://www.matteocarli.com/2009/11/twitter-horror.html

The XSS issue in the error page has been patched by Twitter few days after
our disclosure.
The Unicode issue is still there.

Regards
Rosario Valotta + Matteo Carlo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] WordPress <= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution
Next by Date: [Full-disclosure] [ MDVSA-2009:300 ] apache-conf
Previous by thread: Re: [Full-disclosure] [EquipoFraude] Full Path Disclosure in most wordpress' plugins [?]
Next by thread: [Full-disclosure] [ MDVSA-2009:300 ] apache-conf
Index(es):
- Date
- Thread