Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 6th, 2010

New Cross-site Scripting Vulnerability On Twitter Allows Session Hijacking And Posting

According to a report from the XSSed Project, the vulnerability is located in the search script on and was discovered by a researcher calling himself “cbr”.

Following the disclosure, security researcher Mike Bailey has quickly put together a proof-of-concept exploit which forces a logged in Twitter user to post a rogue message from their account when visiting a maliciously crafted Web page.

The attack leverages the flaw to hijack the victim’s session cookie and use it to post a tweet on their behalf, but the researcher notes that other malicious actions could also be performed. “While I’m not collecting any data other than session cookies, and I’m discarding them once I post a tweet from your account, I could do much more,” the researcher writes.

Bailey’s example requires a button to be clicked in order to trigger the exploit, but this is not necessary and the same result could be achieved transparently. This means that the flaw, which at the time of writing this article is still unpatched, could be used to create a malicious XSS worm, that would rapidly spread across the micro-blogging website.

“I wrote this proof of concept in less than 10 minutes. These things are ridiculously easy to attack,” Bailey points out.

Cross-site scripting vulnerabilities stem from a failure to properly validate user input into forms and allows attackers to force websites into serving unauthorized code to visitors. This is actually the fourth serious XSS bug discovered on Twitter this summer, despite the website having confronted similar problems in the past and undergoing repeated scrutiny.

Client-side protection against XSS is available in several browsers. Internet Explorer and Google Chrome come with their own internal filters, while Firefox has the popular NoScript extension.

Share this item with others:

More on CyberInsecure:
  • Cross-site Scripting Vulnerability On Yahoo’s HotJobs Site Exposes Yahoo Accounts
  • Cross-Domain Vulnerability In Microsoft Internet Explorer 6
  • Drupal Multiple XSS and Request Forgery Vulnerabilities
  • Cross-Site Scripting Vulnerability On Paypal Could Be Used In Phishing Attacks
  • Cross-site Scripting Vulnerability Found In MI5 Website By A Hacker

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Cross-site Scripting Vulnerability On Twitter Allows Session Hijacking And Posting

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.