A Twitter cross-site scripting (XSS) vulnerability reported late last week was quickly fixed by the website's security staff. The flaw might have been abused in an earlier attack that affected hundreds of Twitter accounts.
According to Daniel Kennedy of Praetorian Security Group, who published an in-depth analysis of the proof-of-concept attack, the hacker left a message reading "there is no crime here! I just create To smarten view my Twitter profile," suggesting that his intentions were not malicious.
This XSS vulnerability is persistent, meaning that exploitation can result in permanent changes being made to the page, subsequently affecting all users who view it. This is opposed to reflected XSS flaws, which can only affect users opening a malformed URL.
Cross-site scripting bugs are the result of improper input validation in web forms. In this case, the vulnerability was located in the name field of the Twitter application registration form. The flaw was similar to a different one discovered last August in the application URL field by a blogger named James Slater.
Dimitris Pagkalos, one of the founders of the XSSed, a project that maintains an archive of XSS flaws and raises awareness about this type of Web vulnerability, notes that Twitter's security team promptly addressed the bug. However, he suggests the vulnerability might have been used in an earlier attack that made a rogue status reading "Hacked By Turkish Hackers" appear on almost one thousand Twitter profiles.
You can follow the editor on Twitter @lconstantin