[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection
- From: karma cyberintel <karmacyberintel1@xxxxxxxxx>
- Date: Wed, 18 Jan 2012 13:08:51 +0530
*Description of script:*
Twitter providing features to protect the user privacy, using account
setting you can protect your Tweets, you can change Username, you can
change your password, and you can change your E-mail address.
*Affected script URL:*
URL #1: https://mobile.twitter.com/settings/screen_name
URL #2: https://mobile.twitter.com/settings/name
*Vulnerability Description:*
1) Cross Site Scripting Vulnerability ( Twitter mobile is infected User
Side XSS as well as it was protected to click jacking ):
Cross-Site Scripting attack is type of injection, in which malicious java
scripts are injected into the web sites dynamic page.
2) HTML Injection Vulnerability (Twitter mobile is infected User Side , one
html injection was stored )
HTML Injection is a type of injection, in which malicious HTML Code
injected into the web sites Pages.
*Exploit Description + Proof of Concept:*
URL #1: https://mobile.twitter.com/settings/name
Title #1: Stored HTML Injection Vulnerability
In the above URL there is one input box to change the name. The HTML code
of the input box is following.
for more details
http://www.karmacyberintel.net/2012/01/twitter-mobile-account-settings-cross-site-scripting-and-multiple-html-injection-vulnerability/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/