Ed Skoudis gave a talk at Hack in the Box last year where he lamented how sad it was that SQL injection was still going on. I would like to add Cross Site Scripting to that lamentation today. I was logged into Twitter this morning and suddenly started seeing a similar "re-tweet." I jumped on the Google and saw several early write ups saying Twitter was getting pwned. Here is the tweet I got:
www.t.co/@"onmouseover="document.getElementById(' status').value='RT MiguelTarga';$('.status- update-form').submit();"class= "modal-overlay"/
"onmouseover", you have got to be kidding me. I booted into a system I didn't care about and ran the cursor over the code; bang I was retweeting. That's slick, no clicking invovled. A successful stored XSS attack on a major site in 2010, awesome. Here's a quick write-up on XSS if you don't know how it works: http://en.wikipedia.org/wiki/Cross-site_scripting
I switched over to m.twitter.com to watch the rest of the action since javascript isn't enabled on that site. The Twitter team responded quickly and cleared everything up within a reasonable amount of time. This should help prove that social media does not belong inside your network.
No comments:
Post a Comment