A new cross-site scripting (XSS) weakness identified on Twitter and can be leveraged by attackers to hijack users' sessions and post on their behalf.According to a report from the XSSed Project, the vulnerability is located in the search script on dev.twitter.com and was discovered by a researcher calling himself "cbr".
"This non-persistent Twitter XSS was submitted by 'cbr' on July 29, 2010 and has not been corrected since then," Dimitris Pagkalos, co-founder of the XSSed Project, writes.
Following the disclosure, security researcher Mike Bailey has quickly put together a proof-of-concept exploit which forces a logged in Twitter user to post a rogue message from their account when visiting a maliciously crafted Web page.
The attack leverages the flaw to hijack the victim's session cookie and use it to post a tweet on their behalf, but the researcher notes that other malicious actions could also be performed.
"While I'm not collecting any data other than session cookies, and I'm discarding them once I post a tweet from your account, I could do much more," the researcher writes.
Bailey's example requires a button to be clicked in order to trigger the exploit, but this is not necessary and the same result could be achieved transparently.
This means that the flaw, which at the time of writing this article is still unpatched, could be used to create a malicious XSS worm, that would rapidly spread across the micro-blogging website.
"I wrote this proof of concept in less than 10 minutes. These things are ridiculously easy to attack," Bailey points out.
Cross-site scripting vulnerabilities stem from a failure to properly validate user input into forms and allows attackers to force websites into serving unauthorized code to visitors.
This is actually the fourth serious XSS bug discovered on Twitter this summer, despite the website having confronted similar problems in the past and undergoing repeated scrutiny.
Client-side protection against XSS is available in several browsers. Internet Explorer and Google Chrome come with their own internal filters, while Firefox has the popular NoScript extension.