Comments on: Cross-Site Request Forgery Vulnerability in Twitter http://www.mcgrewsecurity.com/2008/04/08/cross-site-request-forgery-vulnerability-in-twitter/ Thu, 09 Sep 2010 13:08:56 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Application Security and Redefining User Input | RebelFa1con™ http://www.mcgrewsecurity.com/2008/04/08/cross-site-request-forgery-vulnerability-in-twitter/comment-page-1/#comment-49371 Application Security and Redefining User Input | RebelFa1con™ Thu, 25 Feb 2010 12:50:13 +0000 http://www.mcgrewsecurity.com/?p=102#comment-49371 [...] a CSRF vulnerability spotted in twitter. Twitter has two post screens, one of them for mobile and one of them for normal web browsers. Even [...] [...] a CSRF vulnerability spotted in twitter. Twitter has two post screens, one of them for mobile and one of them for normal web browsers. Even [...]

]]> By: iS34.Net Güncel Haberler » Application Security and Redefining User Input http://www.mcgrewsecurity.com/2008/04/08/cross-site-request-forgery-vulnerability-in-twitter/comment-page-1/#comment-30749 iS34.Net Güncel Haberler » Application Security and Redefining User Input Sat, 21 Mar 2009 19:06:29 +0000 http://www.mcgrewsecurity.com/?p=102#comment-30749 [...] a CSRF vulnerability spotted in twitter. Twitter has two post screens, one of them for mobile and one of them for normal web browsers. Even [...] [...] a CSRF vulnerability spotted in twitter. Twitter has two post screens, one of them for mobile and one of them for normal web browsers. Even [...]

]]> By: CyTRAP Labs - EU-IST - we help protect since 2000 » Blog Archive » InfoSec and Twitter - why this technology causes corporations some serious headaches http://www.mcgrewsecurity.com/2008/04/08/cross-site-request-forgery-vulnerability-in-twitter/comment-page-1/#comment-17714 CyTRAP Labs - EU-IST - we help protect since 2000 » Blog Archive » InfoSec and Twitter - why this technology causes corporations some serious headaches Sat, 28 Jun 2008 05:10:38 +0000 http://www.mcgrewsecurity.com/?p=102#comment-17714 [...] 2008-04-08 - Cross-Site Request Forgery Vulnerability in Twitter - Wesley McGrew [...] [...] 2008-04-08 – Cross-Site Request Forgery Vulnerability in Twitter – Wesley McGrew [...]

]]> By: admin http://www.mcgrewsecurity.com/2008/04/08/cross-site-request-forgery-vulnerability-in-twitter/comment-page-1/#comment-13817 admin Wed, 09 Apr 2008 15:03:24 +0000 http://www.mcgrewsecurity.com/?p=102#comment-13817 Hi Ferruh! Thanks for dropping the note. Good example of how one can never assume they're the only one sitting on a vulnerability :). Sounds like they're interested in improving their response now. Have a good one! Wesley Hi Ferruh!

Thanks for dropping the note. Good example of how one can never assume they’re the only one sitting on a vulnerability :).

Sounds like they’re interested in improving their response now.

Have a good one!
Wesley

]]> By: Ferruh Mavituna http://www.mcgrewsecurity.com/2008/04/08/cross-site-request-forgery-vulnerability-in-twitter/comment-page-1/#comment-13809 Ferruh Mavituna Wed, 09 Apr 2008 10:25:12 +0000 http://www.mcgrewsecurity.com/?p=102#comment-13809 It's quite funny that I've reported this CSRF issue to twitter about 3 weeks ago and supplied them 2 PoC to bypass REFERRER via HTTPS trick and JS. But they didn't reply. I was waiting for 30 days before release it. Anyway, 2 PoC, one based on HTTPS>HTTP, other one is JS https://ferruh.mavituna.com/opensource/twitter/ https://ferruh.mavituna.com/opensource/twitter-2/ Looks like they've fixed though. It’s quite funny that I’ve reported this CSRF issue to twitter about 3 weeks ago and supplied them 2 PoC to bypass REFERRER via HTTPS trick and JS. But they didn’t reply. I was waiting for 30 days before release it.

Anyway,
2 PoC, one based on HTTPS>HTTP, other one is JS
https://ferruh.mavituna.com/opensource/twitter/
https://ferruh.mavituna.com/opensource/twitter-2/

Looks like they’ve fixed though.

]]> By: admin http://www.mcgrewsecurity.com/2008/04/08/cross-site-request-forgery-vulnerability-in-twitter/comment-page-1/#comment-13800 admin Wed, 09 Apr 2008 04:23:18 +0000 http://www.mcgrewsecurity.com/?p=102#comment-13800 Hi Alex! I see that the mobile form now has a token, however it seems like it's not being checked at the moment, as the CSRF still seems to go through fine. Perhaps I've caught you in the middle of the fix :-) Hi Alex! I see that the mobile form now has a token, however it seems like it’s not being checked at the moment, as the CSRF still seems to go through fine. Perhaps I’ve caught you in the middle of the fix :-)

]]> By: Alex Payne http://www.mcgrewsecurity.com/2008/04/08/cross-site-request-forgery-vulnerability-in-twitter/comment-page-1/#comment-13799 Alex Payne Wed, 09 Apr 2008 03:27:24 +0000 http://www.mcgrewsecurity.com/?p=102#comment-13799 Hi, I'm one of Twitter's engineers. A friend brought this post to my attention this evening. Thanks for taking the time to write this up and develop a proof-of-concept. I've patched this vulnerability, and we'll work to make it easier to contact us with security problems. We do read both abuse@twitter.com and security@twitter.com, in the meantime. Our full-time support staff also goes through all tickets and routes any security issues reported there to the appropriate engineers. Hi, I’m one of Twitter’s engineers. A friend brought this post to my attention this evening.

Thanks for taking the time to write this up and develop a proof-of-concept. I’ve patched this vulnerability, and we’ll work to make it easier to contact us with security problems. We do read both abuse@twitter.com and security@twitter.com, in the meantime. Our full-time support staff also goes through all tickets and routes any security issues reported there to the appropriate engineers.

]]>