<div>Hi, up to some days ago Twitter was affected by a vulnerability that allowed the propagation of a worm what we like to call "twitter swine flu".<br>The vulnerability exploited by the worm was a simple Xss injected in an error page, but what is worth noticing here is that the error page was not a specific one, but was (and still currently is) raised when some unmanaged Unicode chars were included in the URL.<br>
<br>When you try to call a specific URL and set the path or a
querystring parameter to string containing an unsupported Unicode value
(for a complete list see: <a href="http://unicode.org/charts/PDF/U0080.pdf" target="_blank">http://unicode.org/charts/PDF/U0080.pdf</a>) the webapp raised an error page.</div>
<div><span style="font-family: courier new,monospace;"></span><span style="font-family: courier new,monospace;"></span> </div>
<div><span style="font-family: courier new,monospace;"><font face="Arial">E.g.</font></span></div>
<div><span style="font-family: courier new,monospace;"><a href="http://twitter.com/%A2" target="_blank">http://twitter.com/%A2</a> --> Invalid Unicode value in parameter user</span></div>
<div><span style="font-family: courier new,monospace;"></span> </div>
<div><span style="font-family: courier new,monospace;"><a href="http://twitter.com/testxss/%A2" target="_blank">http://twitter.com/testxss/%A2</a> --> Invalid Unicode value in parameter id</span></div>
<div><span style="font-family: courier new,monospace;"></span> </div>
<div><span style="font-family: courier new,monospace;"><a href="http://twitter.com/testxss/whatever/%A2" target="_blank">http://twitter.com/testxss/whatever/%A2</a> --> Invalid Unicode value in parameter params</span></div>
<div><span style="font-family: courier new,monospace;"></span> </div>
<div><span style="font-family: courier new,monospace;"><a href="http://twitter.com/testxss?a=%A2" target="_blank">http://twitter.com/testxss?a=%A2</a> --> Invalid Unicode value in parameter a</span></div>
<div><span style="font-family: courier new,monospace;"></span> </div>
<div><span style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"><font face="arial,helvetica,sans-serif">No control was performed on valid path/parameter names.</font></span></span></div>
<div><span style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"></span></span> </div>
<div><span style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"><font face="arial,helvetica,sans-serif">Moreover, in the last example, the error page echoed the parameter name without any sanitazion/encoding. This lead to XSS.</font></span></span></div>
<div><span style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"><font face="arial,helvetica,sans-serif"></font></span></span></div>
<div><span style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;"></span></span> </div>
<div>E.g.</div>
<div>If the url <a href="http://twitter.com/testxss?%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E=%A2" target="_blank">http://twitter.com/testxss?<script>alert('xss')</script>=%A2</a> was called the error page was raised and, as no validation on parameter name
is performed, the script was executed and an alert was raised.</div>
<div><br>The worm we developed is just a PoC that exploited this vulnerability and:</div>
<ul><li>made the victim post arbitrary tweets </li><li>added followers to an attacker controlled account</li></ul>
<div>A video of the PoC is available at:<br><a href="http://sites.google.com/site/tentacoloviola/twitterhorror" target="_blank">http://sites.google.com/site/tentacoloviola/twitterhorror</a><br>and<br><a href="http://www.matteocarli.com/2009/11/twitter-horror.html" target="_blank">http://www.matteocarli.com/2009/11/twitter-horror.html</a><br>
<br>The XSS issue in the error page has been patched by Twitter few days after our disclosure.<br>The Unicode issue is still there.<br><br>Regards<br>Rosario Valotta + Matteo Carlo<br></div>