Most Web 2.0 players, such as Google, Facebook, etc., offer open APIs to developers. However, in this particular case, Aviv Raff use`s Twitter's to demonstrate the concept, possibly because the micro-blogging platform has constantly been in the spotlight since the beginning of the year, due to numerous security threats.
"Mikey wrote the twitter worm. That`s old news, & Twitter seem to fix all the known vulnerabilities on their website. But, let's just say that there are no more XSS/CSRF/etc. vulnerabilities on Twitter. Does that mean that there will be no more twitter worms? The answer to that question is no," the researcher`s say.
Mr. Raff claims that this is because of the Twitter API, not so much the API itself,but the third-party websites that use it. He goes on to exemplify with twitpic.com, a service for sharing pictures on Twitter, which taps into the Twitter API in order to import someone else`s profile.
However, "While twitter.com sanitize and encode HTML tags in the twitter profile information (name, URL, bio, etc.), twitpic.com failed to do so and by that allowed injecting scripts to the twitpic user profile page. This is a very simple persistent XSS, which can be easily abused to hijack twitpic.com user accounts," the expert explains.
The API is also used to post messages back to Twitter on behalf of a user, whenever they post or comment on a picture from twitpic.com. Mr. Raff set up a fake profile on Twitpic and leveraged on the XSS flaw to create a successful Twitter worm. Any user logged into Twitpic who was visiting the rogue profile would have automatically posted Raff's message, with a link to the profile, on their own Twitter feed.
"Twitter are not alone in this mess. This 'Cross-Web2.0 Scripting' type of vulnerabilities can affect all other social networks," the security researcher notes. "If you are the owner of a service which provides an API, fixing your own website vulnerabilities might not be enough…," he concluded.
"Mikey wrote the twitter worm. That`s old news, & Twitter seem to fix all the known vulnerabilities on their website. But, let's just say that there are no more XSS/CSRF/etc. vulnerabilities on Twitter. Does that mean that there will be no more twitter worms? The answer to that question is no," the researcher`s say.
Mr. Raff claims that this is because of the Twitter API, not so much the API itself,but the third-party websites that use it. He goes on to exemplify with twitpic.com, a service for sharing pictures on Twitter, which taps into the Twitter API in order to import someone else`s profile.
However, "While twitter.com sanitize and encode HTML tags in the twitter profile information (name, URL, bio, etc.), twitpic.com failed to do so and by that allowed injecting scripts to the twitpic user profile page. This is a very simple persistent XSS, which can be easily abused to hijack twitpic.com user accounts," the expert explains.
The API is also used to post messages back to Twitter on behalf of a user, whenever they post or comment on a picture from twitpic.com. Mr. Raff set up a fake profile on Twitpic and leveraged on the XSS flaw to create a successful Twitter worm. Any user logged into Twitpic who was visiting the rogue profile would have automatically posted Raff's message, with a link to the profile, on their own Twitter feed.
"Twitter are not alone in this mess. This 'Cross-Web2.0 Scripting' type of vulnerabilities can affect all other social networks," the security researcher notes. "If you are the owner of a service which provides an API, fixing your own website vulnerabilities might not be enough…," he concluded.
0 comments:
Post a Comment