exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Month Of Twitter Bugs - bit.ly XSS

Month Of Twitter Bugs - bit.ly XSS
Posted Jul 8, 2009
Authored by Aviv Raff | Site twitpwn.com

Month of Twitter Bugs - The bit.ly service suffered from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 31ec4a5275c9326490446d0db51bcc2382ae41ebdae9b9e899f219a573d60baa

Month Of Twitter Bugs - bit.ly XSS

Change Mirror Download
Wednesday, July 1, 2009

MoTB #01: Multiple vulnerabilities in bit.ly service

What is bit.ly
"bit.ly allows users to shorten, share, and track links (URLs). Reducing the URL length makes sharing easier. bit.ly can be accessed through our website, bookmarklets and a robust and open API. bit.ly is also integrated into several popular third-party tools such as Tweetdeck." (bit.ly about page)

Twitter affect
bit.ly can be used to send tweets with the shortened URLs through a form on their website, or a simple GET request.
bit.ly is using the OAuth authentication tokens in order to send tweets via the Twitter API.

Popularity rate
Second most popular URL shortening service in the wild - 4.5 twits

1) Reflected Cross-Site Scripting in the “url” query parameter.
Status: Patched.
Details: This vulnerability was first reported by Mario Heiderich on May 18th 2009, on twitter.

A week later, I found that this vulnerability got fixed. Unfortunately, after playing with it a bit, I figured that it was only partially fixed. Instead of encoding the HTML entities, bit.ly developers have decided to strip the <> characters. E.g. this proof-of-concept would have popup an alert on IE7: htttp://bit.ly/?url="%20style="color:expression(document.body.onload=function()%20{alert(1)})

Several days ago, after a long discussion with Mario, bit.ly has finally fully fixed this vulnerability.

2) Reflected Cross-Site Scripting in the keywords parameter.
Status: Patched.
Details: This vulnerability was reported by Mike Bailey on June 24th 2009. See Mike's advisory for more details: http://skeptikal.org/2009/06/parsing-quirk-causes-bitly-xss.html

This vulnerability was fixed by bit.ly yesterday.

3) Reflected POST Cross-Site Scripting in the username field of the login page
Status: Patched
Details: This vulnerability was reported by Mario Heiderich. See Mario’s advisory for more details: http://heideri.ch/bit.ly.txt

This vulnerability was fixed by bit.ly yesterday.

4) Persistent Cross-Site Scripting in the content-type field of the URL info page
Status: *Unpatched* Patched.
Details: This vulnerability was submitted by Mike Bailey on June 25th 2009.

Whenever a URL of a website gets shortened by bit.ly service, an information page is created for the URL, with statistics and metadata about the website. One of the metadata information being stored by bit.ly is the content-type response header of the shortened URL page. This information of-course can be easily changed. bit.ly fails to encode HTML entities while displaying the content-type information, and therefore allows injection of scripts to the page. Live proof-of-concept can be found here: http://bit.ly/info/JvH83

Vendor response rate
It took bit.ly a month and a half to fix simple XSS vulnerabilities. Very poor - 0.5 twits.

In conclusion
bit.ly has a large user base (who doesn't click bit.ly links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs...

[Update - 3 hours into Month of Twitter Bugs] bit.ly have finally fixed the last vulnerability.
Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    50 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    7 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By