📜 ⬆️ ⬇️

Active XSS on Twitter

Screenshot (thanks to lc0d3r ):

Example: twitter.com/mr_the/status/25105420721 (there is only an alert)

It all started from here (banal coloring via css) twitter.com/RainbowTwtr , the author is not known.
It is enough to post a tweet view:
 http://twitter.com/mr_the#@"onmouseover="jAvascript:alert('Ha-ha! XSS! '); "/
and there will be a lot of joy.

Actually, the reason is a bad link parser, without proper filtering.

For security reasons, I recommend temporarily disabling JavaScript on twitter.com.

UPD : NewTwitter xss does not work.
UPD2 : At 15:52 (in Kiev) they closed the opportunity to send such tweets. The old ones are still working.
UPD3 : 16:46 in Kiev, the vulnerability is officially closed - status.twitter.com/post/1161435117/xss-attack-identified-and-patched

Source: https://habr.com/ru/post/104665/

All Articles