Twitter fixes cross-site scripting flaw

A serious security flaw was apparently found on Twitter on Tuesday but was quickly fixed.

The problem was a cross-site scripting flaw, wrote Georg Wicherski of Kaspersky Lab ZAO on the Russian security company’s blog.

Cross-site scripting is an attack in which a script drawn from another Web site is allowed to run that shouldn’t, which can be used to steal information or potentially cause other malicious code to run.

Wicherski wrote that it appeared a user only needed to hover over a malicious link in order to trigger the flaw, but another test showed that no user interaction was required.

“It is possible to load secondary JavaScript from an external URL (Uniform Resource Locator) with no user interaction, which makes this definitely wormable and dangerous,” Wicherski wrote.

Twitter acknowledged the problem. “We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit,” the company wrote on Tuesday afternoon.

Code for the attack was posted on the IRC instant messaging service, Wicherski wrote. Other people who noticed the issue posted several harmless proof-of-concept demonstrations, wrote Paul Mutton of Netcraft Ltd. The flaw could have allowed something as benign as a pop-up message when mousing over a tweet, as shown on Netcraft’s blog.

But Mutton wrote that one user demonstrated more serious possibilities such as stealing cookies. Cookies are small pieces of data stored in a Web browser that are used for tracking users and remembering if a user wants to stay logged in to a Web site.

Audits of Web sites have shown that cross-site scripting flaws are among the most common Web application vulnerabilities.

IBM’s annual X-Force Trend and Risk Report found earlier this year that cross-site scripting attacks overtook SQL injection as the number-one type of Web application vulnerability. SQL injection attacks occur when commands are inputted into Web-based forms, which can cause back-end databases to reveal data if those databases are not configured properly.

>Another survey by WhiteHat Security Inc., a Santa Clara, Calif. company that specializes in finding Web application vulnerabilities, found there’s a 66 per cent chance a website will have a cross-site scripting problem.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now