Saturday, July 11, 2009

MoTB #11: Twitturly Persistent XSS

What is Twitturly
"Twitturly tracks the URLs flying around the Twitterverse and provides a quick, real-time view of what people are talking about on Twitter." (Twitturly about page)


Twitter effect
Twitturly can be used to send tweets to other Twitter users.  Twitturly is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
19th place in the Top 100 Twitter services of The Museum of Modern Betas Labs 



Vulnerability: Persistent Cross-Site in Twitturly URLs view page.

Status: Patched.

Details: Twitturly did not encode HTML entities in the un-shortened URLs it displays, which could have allowed the injection of scripts.  This vulnerability could have allowed an attacker to send tweets on behalf of its victims.



Vendor response rate
The vulnerability was fixed 2 hours after it has been reported.