Twitter fixes cross-site scripting flaw

The flaw could have allowed a hacker to steal data

Jeremy Kirk (IDG News Service)
22 September, 2010 00:47
Comments

A serious security flaw was apparently found on Twitter on Tuesday but was quickly fixed.

The problem was a cross-site scripting flaw, wrote Georg Wicherski of Kaspersky Lab on the company's blog.

Cross-site scripting is an attack in which a script drawn from another Web site is allowed to run that shouldn't, which can be used to steal information or potentially cause other malicious code to run.

Wicherski wrote that it appeared a user only needed to hover over a malicious link in order to trigger the flaw, but another test showed that no user interaction was required.

"It is possible to load secondary JavaScript from an external URL (Uniform Resource Locator) with no user interaction, which makes this definitely wormable and dangerous," Wicherski wrote.

Twitter acknowledged the problem. "We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit," the company wrote on Tuesday afternoon.

Code for the attack was posted on the IRC instant messaging service, Wicherski wrote. Other people who noticed the issue posted several harmless proof-of-concept demonstrations, wrote Paul Mutton of Netcraft. The flaw could have allowed something as benign as a pop-up message when mousing over a tweet, as shown on Netcraft's blog.

But Mutton wrote that one user demonstrated more serious possibilities such as stealing cookies. Cookies are small pieces of data stored in a Web browser that are used for tracking users and remembering if a user wants to stay logged in to a Web site.

Audits of Web sites have shown that cross-site scripting flaws are among the most common Web application vulnerabilities.

IBM's annual X-Force Trend and Risk Report found earlier this year that cross-site scripting attacks overtook SQL injection as the number-one type of Web application vulnerability. SQL injection attacks occur when commands are inputted into Web-based forms, which can cause back-end databases to reveal data if those databases are not configured properly.

Another survey by WhiteHat Security, a company that specializes in finding Web application vulnerabilities, found there's a 66 percent chance a website will have a cross-site scripting problem.

Send news tips and comments to jeremy_kirk@idg.com

Bookmark this page
Share this article
- facebook
- slashdot
- digg
- Reddit
- stumbleupon
- linkedin
- twitter
Got more on this story? Email CIO
Follow CIO on twitter

More about: IBM, IBM Australia, Kaspersky, Kaspersky Lab, Netcraft, X-Force

References show all

Comments

Post new comment

Share
Share this article
- google+
- facebook facebook
- slashdot slashdot
- digg digg
- Reddit Reddit
- stumbleupon stumbleupon
- linkedin linkedin
- twitter twitter
print
email
Bookmark

Related Coverage

Related Whitepapers

Latest Stories

Community Comments

"Very first time commenter on Face Time - Interview with John Brennan ..."

Face Time - Interview with John Brennan and Robert DiStefano
"When someone writes an piece of writing he/she keeps the idea of ..."

Monday Grok: Will Siri crack the walls of GOOG?
"Truly no matter if someone doesn't be aware of after that its ..."

Face Time - Interview with John Brennan and Robert DiStefano
"I read this post completely about the resemblance of latest and previous ..."

Face Time - Interview with John Brennan and Robert DiStefano
"A survey has found that eight out of 10 Australians would be ..."

Phones are distractions during catch-ups

Tags: Exploits / vulnerabilities, kaspersky lab, malware, security

Latest Blog Posts

Whitepapers

Simplifying branch office security
Securing your business network is more important than ever. Malware, botnets and other malicious programs threaten your network—at your central offices and your branch offices alike. Yet enforcing consistent network security throughout your enterprise can be challenging—especially for those of you with branch offices with few users and no IT expertise. This paper introduces a new standard—an innovative, unified, cost-effective solution for managing branch office security, with centralised reporting and a clear process for determining return on investment (ROI).

Learn more »
Seven Tips for Securing Mobile Workers
Seven Tips for Securing Mobile Workers is intended to offer practical guidance on dealing with one of the fastest growing threats to the security of sensitive and confidential information.

Learn more »
Gartner MarketScope for Application Life Cycle Management
Organisations adopting agile practices, utilising global and distributed teams, or exploiting complex processes and technologies are most likely to benefit from using ALM tools to plan, manage and report on their development activities. This MarketScope assesses the market offerings and their providers.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

Zones

Featured Whitepapers

Three simple steps to better patch security

It’s estimated that 90% of successful attacks against software vulnerabilities could be prevented with an existing patch or configuration setting. Yet patching is a persistent challenge for IT managers. With ...

Recent comments

"Very first time commenter on Face Time - Interview with John Brennan ..."
Face Time - Interview with John Brennan and Robert DiStefano
"When someone writes an piece of writing he/she keeps the idea of ..."
Monday Grok: Will Siri crack the walls of GOOG?
"Truly no matter if someone doesn't be aware of after that its ..."
Face Time - Interview with John Brennan and Robert DiStefano
"I read this post completely about the resemblance of latest and previous ..."
Face Time - Interview with John Brennan and Robert DiStefano
"A survey has found that eight out of 10 Australians would be ..."
Phones are distractions during catch-ups

Follow CIO

Market Place

Gartner Security & Risk Management Summit, 16-17 July 2012, Sydney

Cyber Security Summit 2012 | 1-3 August | Save $150 using promo code CSO | Check out agenda today

Latest Jobs

Subscribe to CIO

Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.

Download OPML file for import with all IDG RSS feeds

CSO Online Data Security Briefing

Twitter fixes cross-site scripting flaw

Comments

Post new comment

Building trusted relationships

Planning your IT career

Taking the risk out of diversity

5 open source help desk apps to watch

How to create a clear project plan

5 open source billing systems to watch

10 Tips for Dealing with a Bully Boss

CIO challenge with BYOD: Don't fall down the rabbit hole

Face Time - Interview with John Brennan and Robert DiStefano

All Systems Down

IT service management going social

Survey: Over 97 per cent of enterprise tablet users got an iPad in Q1

Judge throws out mass John Doe porn copyright lawsuits

HP Business Efficiency - Money Payback Guarantee Resource Centre

The Australian Cloud

Three simple steps to better patch security

The Pathways ICT Leadership Development Program Brochure and Curriculum 2012