Twitter fixes cross-site scripting flaw

The flaw could have allowed a hacker to steal data

A serious security flaw was apparently found on Twitter on Tuesday but was quickly fixed.

The problem was a cross-site scripting flaw, wrote Georg Wicherski of Kaspersky Lab on the company's blog.

Cross-site scripting is an attack in which a script drawn from another Web site is allowed to run that shouldn't, which can be used to steal information or potentially cause other malicious code to run.

Wicherski wrote that it appeared a user only needed to hover over a malicious link in order to trigger the flaw, but another test showed that no user interaction was required.

"It is possible to load secondary JavaScript from an external URL (Uniform Resource Locator) with no user interaction, which makes this definitely wormable and dangerous," Wicherski wrote.

Twitter acknowledged the problem. "We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit," the company wrote on Tuesday afternoon.

Code for the attack was posted on the IRC instant messaging service, Wicherski wrote. Other people who noticed the issue posted several harmless proof-of-concept demonstrations, wrote Paul Mutton of Netcraft. The flaw could have allowed something as benign as a pop-up message when mousing over a tweet, as shown on Netcraft's blog.

But Mutton wrote that one user demonstrated more serious possibilities such as stealing cookies. Cookies are small pieces of data stored in a Web browser that are used for tracking users and remembering if a user wants to stay logged in to a Web site.

Audits of Web sites have shown that cross-site scripting flaws are among the most common Web application vulnerabilities.

IBM's annual X-Force Trend and Risk Report found earlier this year that cross-site scripting attacks overtook SQL injection as the number-one type of Web application vulnerability. SQL injection attacks occur when commands are inputted into Web-based forms, which can cause back-end databases to reveal data if those databases are not configured properly.

Another survey by WhiteHat Security, a company that specializes in finding Web application vulnerabilities, found there's a 66 percent chance a website will have a cross-site scripting problem.

Send news tips and comments to jeremy_kirk@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarekaspersky labExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?