Twitter Mouseover Flaw Allows Script Injection
As I write this, there are some rather unusual trending topics on Twitter, including:
- Security Flaw
When you include a URL in your Tweet, Twitter automatically recognizes this. Then when it displays that Tweet via the browser, it wraps that URL as follows:
<a href=”YOUR_LINK” class=”tweet-url” rel=”nofollow” target=”_blank”>YOUR_LINK</a>
The problem is, Twitter does not sanitize the URL. In particular, it does not check for the presence of quotes, which allows a user to post a link like:
http://www.a.bc/@”onmouseover=alert(‘Sanitize user input!’)//
Twitter recognizes this is a URL and happily wraps it in a link. The problem is, the exclamation mark in the URL will cause the onmouseover bit to be added to the link tag () as an attribute, thus enabling a potential attack.
<a href=”http://www.a.bc/@”onmouseover=alert(‘Sanitize user input!)//” class=”tweet-url web” rel=”nofollow” target=”_blank”>http://www.a.bc/@”onmouseover=alert(‘Sanitize user input!)//</a>
All of that is fairly harmless but expect nastier codes to follow soon.
In the meantime, Twitter users may:
- Use a third-party application to view Twitter until this is fixed, as this bug is only browser based.
Update: Twitter reports that they have fixed the vulnerability in the last few minutes