Thursday, July 2, 2009

MoTB #02: Reflected XSS in HootSuite

What is HootSuite
"HootSuite is the ultimate Twitter toolbox. With HootSuite, you can manage multiple Twitter profiles, add multiple editors, pre-schedule tweets, and measure your success. HootSuite lets you manage your entire Twitter experience from one easy-to-use interface." (HootSuite about page)


Twitter affect
HootSuite can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.
HootSuite is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate
27th place in the Top 100 Twitter Services, according to “The Museum of Modern Betas” - 3.5 twits


Vulnerability: Reflected Cross-Site in the “add-acount” page.
Status: Patched.
Details: The HootSuite "add-account" page does not encode HTML entities in the "pageMode" variable, which can allow the injection of scripts.

This vulnerability could allowed an attacker to send tweets, direct messages and to follow/unfollow others on behalf of its victims.  Proof-of-Concept: http://hootsuite.com/twitter/add-account?height=240&width=280&modal=true&pageMode=xxx%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E


Vendor response rate
Vulnerability was fixed two hours after it has been reported.