Twitter is one of the leading social networking and information sharing system these days.
I have recently discovered(and reported) a XSS vulnerability that if not reported could lead to something similar to "HyHack is my hero" ;).
For whoever of you who did not know, Twitter Implemented a feature called "Lists", this feature lets any user the ability of adding anyone, without any terms or relation to the "follow" mechanism (they don't have to follow the attacker and vice versa)*, to his malicious XSSed list.
The reason of this being so High Risk stored XSS vulnerability, is that the attack potentially triggered on anyone who entered the attacker's profile "Lists" using a mobile. after a victim got infected, the attack triggers again and infect anyone who will view the victim's "Lists" and anybody who will view theirs and so on... (only victims that will use a mobile will get infected! reminds you of something? )
*I did not test if a user can add a protected (locked) people to his lists. any comment on this will be appreciated.
PoC Picture watching the victim's profile:
I have recently discovered(and reported) a XSS vulnerability that if not reported could lead to something similar to "HyHack is my hero" ;).
For whoever of you who did not know, Twitter Implemented a feature called "Lists", this feature lets any user the ability of adding anyone, without any terms or relation to the "follow" mechanism (they don't have to follow the attacker and vice versa)*, to his malicious XSSed list.
The reason of this being so High Risk stored XSS vulnerability, is that the attack potentially triggered on anyone who entered the attacker's profile "Lists" using a mobile. after a victim got infected, the attack triggers again and infect anyone who will view the victim's "Lists" and anybody who will view theirs and so on... (only victims that will use a mobile will get infected! reminds you of something? )
*I did not test if a user can add a protected (locked) people to his lists. any comment on this will be appreciated.
PoC Picture watching the victim's profile:
The effect of this XSS is ONLY on victims that use twitter on Mobile!
I most say the lists feature was not fully implemented in the browser at the time I was testing, so most of my testing performed on the "Me" tab.
Twitter did a great job resolving this vulnerability very quickly (~Day after my report), and placed my name in the Twitter Security Whitehats page(2012) later on.
I would like to thank Twitter for their work and for giving me the opportunity to report a responsible disclosure and help keeping Twitter Users safe.