In association with heise online

21 March 2009, 10:53

Twitter XSS vulnerability

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Secure Science Corporation has published a proof of concept XSS vulnerability which it says could be spread virally, similar to a worm, on the popular microblogging service, Twitter. The exploit is similar to the "Don't click" clickjacking exploit found at the end of February. When the users inadvertently clicked the links while logged into their accounts, the embedded script automatically re-posted itself under their Twitter account.

The exploit makes use of a web programming error on Twitter's support site, to post the unwanted message. The test code provided by Secure Science posts the message "@XSSExploits I just got owned!" to the victim's profile. According to Lance James, chief scientist at Secure Science, the attack could be modified so that there is no warning screen and include a message that would make users more likely to click on it.

The exploit makes use of a Twitter page with a form that allows JavaScript to create a hidden HTML form. It then uses the Twitter API to re-post a message under the currently logged-in user's account.

Another problem with security on Twitter, is that due to the 140 character limit, users often use shortened web link services like which shortens a URL, but also masks it. This means that users don't know if they are clicking on a trustworthy link.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit