Twitter fixes XSS vulnerability.
15th May 2009
You may have heard that Twitter was hacked last month (twice in fact). I thought this would be a good opportunity to talk about what happened to Twitter and how you can ensure that your sites do not suffer with the same problem.
Twitter had what is known as XSS (Cross Site Scripting) vulnerability in the location field of the profile page. In simple terms, this means that they’re not cleaning up the text the users entered before displaying it to other users. So if you were to enter the following into your location input:
It should be displayed on the profile page a bit like this:
However, because the Twitter software wasn’t cleaning up the code before displaying it on the page, it instead would have rendered the <b> tags and put the “here” word in bold like this:
This is extremely dangerous. Instead of injecting a <b> tag, the attackers used a <script> tag to reference a script held on another web server. This script would then get automatically executed in the browser of any user who visited an infected profile page. As the script is embedded in your browser, it has access to your cookies (which means the hacker could easily hijack your account and log onto the site as if they were you).
The script could also execute AJAX requests back to the server from your account automatically without you knowing – which is exactly what it did. The script initially posted a number of updates from your account that advertised a web site in competition with Twitter. It then updated your location to include the same script. Anyone viewing your profile will now have their account infected in the same way as yours was.
Whilst I am quite used to seeing this sort of thing on small web sites developed by less experienced developers, it’s a real surprise to see it on such a high profile system. After SQL Injection, XSS is possibly the most known about vulnerability. It’s incredible to think that the Twitter team had not tested for this basic security error, and even more surprising that it wasn’t attacked earlier.
Of course, by now they have fixed the problem. But what’s strange is that they appear to have fixed it twice. If you enter “I’m <b>here</b>” as your location, it should covert this to HTML “I’m <b>here</b>” which will then get displayed by your browser as it was entered: “I’m <b>here</b>”. However, they’ve then taken the HTML it was converted into and converted it again so it now says “I’m &lt;b&gt;here&lt;/b&gt;” and gets rendered as below:
This exact security problem is covered in our free Web Security Workshop, where we use it to hijack the administrator’s account and access the admin area. Please get in touch if you’d like to attend.
For a quote to test your web site for these sorts of vulnerabilities, please contact Simon on 0116 2729990.