Active XSS on Twitter
Screenshot (thanks to lc0d3r ):
Example: twitter.com/mr_the/status/25105420721 (there is only an alert)
It all started from here (banal coloring via css) twitter.com/RainbowTwtr , the author is not known.
')
It is enough to post a tweet view:
Actually, the reason is a bad link parser, without proper filtering.
For security reasons, I recommend temporarily disabling JavaScript on twitter.com.
UPD : NewTwitter xss does not work.
UPD2 : At 15:52 (in Kiev) they closed the opportunity to send such tweets. The old ones are still working.
UPD3 : 16:46 in Kiev, the vulnerability is officially closed - status.twitter.com/post/1161435117/xss-attack-identified-and-patched
Example: twitter.com/mr_the/status/25105420721 (there is only an alert)
It all started from here (banal coloring via css) twitter.com/RainbowTwtr , the author is not known.
')
It is enough to post a tweet view:
http://twitter.com/mr_the#@"onmouseover="jAvascript:alert('Ha-ha! XSS! '); "/
and there will be a lot of joy.Actually, the reason is a bad link parser, without proper filtering.
For security reasons, I recommend temporarily disabling JavaScript on twitter.com.
UPD : NewTwitter xss does not work.
UPD2 : At 15:52 (in Kiev) they closed the opportunity to send such tweets. The old ones are still working.
UPD3 : 16:46 in Kiev, the vulnerability is officially closed - status.twitter.com/post/1161435117/xss-attack-identified-and-patched
Source: https://habr.com/ru/post/104665/
All Articles