

Twitter Exploit Still Works - dredge
http://www.davidnaylor.co.uk/twitter-exploit-still-works.html
Twitter XSS exploit from yesterday still works. They haven't done a very good job of fixing it.
You only need to see an exploited tweet to be affected!
======
julio_the_squid
Seriously, their response was to disable spaces in the form?

There is no legitimate reason for anything other than \w to be in there... how
about a real filter? Twitter has been lazy and generally pathetic in just
about every area since they began... talk about getting lucky with a good
idea.

~~~
tdavis
There is no legitimate reason to not _escape the damn output_ , either.
Twitter has officially reached the level of satire, folks.

63 Employees. 55 Million dollars. And twice they fail to accomplish the
trivial.

~~~
jrockway
And don't they use Rails, which presumably makes it very easy, if not the
default, to escape HTML output?

~~~
dnaquin
PSA. Escaping html only helps if you're allowing user-generated text outside
of any tag.

If you're allowing user-generated text into a html tag (ie. this case.)
Escaping html tags won't help.

~~~
jrockway
Why not?

The substitution they do is <a href="%s">, and you can "game that" by
inserting '[http://foo.com>](http://foo.com>); other stuff goes here <whatever
foo="">' Fine. The literal HTML that the user sees becomes '<a
href="[http://foo.com>other](http://foo.com>other) stuff goes here <whatever
foo="">'. That's bad.

Now if you escape that properly, you get: '<a
href="[http://foo.com&quot;&gt](http://foo.com&quot;&gt); other stuff goes
here &lt;whatever foo=&quot;">' Garbage, but not a security problem.

(BTW, news.arc fucks up the escaping too, so this example is garbage. Sorry.
See nopaste here: <http://scsys.co.uk:8001/33063>

Edit: _sigh_ , that is also broken! Bottom line; none of these things will
happen to you if you replace every & with &amp;, every " with &quot;, every '
with &apos;, every < with &lt; and every > with &gt;.)

~~~
dnaquin
Congratulations, you've just stopped one particular attack.

There'll be something you forget. Blacklisting is only a good idea if
whitelisting isn't possible. (see the \w above)

eg. You forgot. javascript:alert(document.cookie) Which depends on click and
in and of itself isn't dangerous but a symptom of a greater problem.

edit: except you need to allow more than \w.

------
jdminhbg
I generally take the view that people are too hard on Twitter, and that
maintaining a gigantic network like this is a lot more difficult than it
looks.

This, though, as a 'fix,' is just complete incompetence.

~~~
tdavis
I used to give them the benefit of the doubt on that. I've now changed my view
to: it's probably more difficult than it looks, but Twitter makes it look
_impossible_.

------
lonestar
To anyone with any level of web security experience, the real fix for this
(proper escaping) should be obvious.

For every really trivial vulnerability like this that Twitter can't fix, there
must be scores of slightly more subtle vulns that go undisclosed.

------
jreposa
Semi-off-topic, but I found something seriously wrong with Craigslist.

<https://post.craigslist.org/manage/1340717167/tkrju#tr231033>

That link will allow you to edit that post. You don't even have to be logged
in.

I've already alerted them, but let's see how long this lasts.

~~~
thomaspaine
The hashtag isn't necessary, ie
<https://post.craigslist.org/manage/1340717167/tkrju> works too.

Actually, I think craigslist probably views this more as a feature than an
exploit. Since you don't need an account to post on craigslist, they can't do
normal cookie based authentication, so they just give you a secret url for
editing your page. Unfortunately, the only thing secret about the url is a 5
character alpha-numeric string, which I suppose would be possible to brute
force.

------
Derrek
Wow... Did some brand new intern get assigned the responsibility to "fix"
this?

Like the author said, I think I'll be off Twitter for a little while too.

------
ulf
This is unbelievable. Even more so that they would not just disable the
displaying of the application until they are sure that thing is fixed. My
guess is this was just the beginning of big time spam/phish/... problems for
twitter...

------
Titanous
If you still want to use the (scary) web interface, there is always NoScript.

~~~
kwamenum86
Twitter should disable everything except registration through the web
interface. If it is not a script injection vulnerability, it is a 404 error
returned for the CSS file resulting in a linear layout, or the web interface
not loading at all. The API on the other hand is usually up (and by extension
so are third party apps.) If they focus their attention on supporting the API
they could charge app developers a fee, which many would happily pay since
they would be the exclusive interfaces used for Twitter (since the web
interface would be gone) and they could build ads, charge for app use, and
provide customized extended Twitter functionality.

I am completely half serious on this.

------
plainspace
does this mean that if I am using tweetdeck on a mac that i am vulnerable?

~~~
thamer
No, the exploit is only for applications capable of interpreting JavaScript,
such as web browsers.

~~~
blasdel
Except that there are a lot of RIA twitter clients that render the tweets in a
Webkit view.

