Ubuntu / Linux news and application reviews.

twitter exploitTwo security researchers have discovered a serious XSS weakness affecting the popular micro-blogging platform Twitter. By clicking on a hidden, maliciously crafted link, users can be forced to post messages without their knowledge.

Lance James and Eric Wastl, security researchers for Secure Sciences Corporation, have announced that Twitter users are exposed to potentially dangerous attacks, because of a cross-site scripting vulnerability. XSS flaws are the result of poor input validation and generally allow attackers to force unwanted behavior through simple URL manipulation.

In order to back up their claim, the two white-hat hackers have set up a proof-of-concept URL, which they have shortened and masked with the help of the TinyURL service. Twitter enforces a 140-character limit for messages, thus making the use of URL shortening services like TinyURL almost a must. Cyber-criminals often use XSS weaknesses to inject rogue IFrames into legit and popular pages, but in this case, the two researchers have employed it to abuse the status-update feature. However, the potential for abuse is much greater.

The shortened version of the PoC link has since been disabled by TinyURL, yet the full URL is still available. Clicking on it will first warn users of what they are about to do and ask them if they want to proceed. Hitting "Ok" will automatically post a message that reads "@XSSExploits I just got owned!," on their Twitter page.

[credits: news.softpedia.com]