Thursday, July 9, 2009

MoTB #09: Reflected POST XSS vulnerability in Twellow

What is Twellow
"From our home at Twellow headquarters, we're actively searching and categorizing millions of inter-personal exchanges available on the internet every day. Twellow.com is thereby able to assist you in finding real people who really matter. We're doing the hard work of sifting out people who can help bring your vision to reality, whatever that vision might be." (Twellow about page)


Twitter effect
Twellow can be used to follow and unfollow other twitter users.
Twellow is using Username/Password authentication in order to utilize the Twitter API.


Popularity rate

Indexing 6.2 million Twitter profiles, with over 175K unique visitors per month (according to Compete) - 4 twits



Vulnerability: Reflected POST Cross-Site Scripting in the Contact page.
Status: Patched.

Details: Twellow does not encode HTML entities in the form fields of the Contact page, which can allow the injection of scripts by submitting a rouge HTML form to the page.

This vulnerability could have allowed an attacker to automatically follow or unfollow other twitter users on behalf of its victims.



Vendor response rate
The vulnerabilities were fixed 1 day after they were reported, although it took them 4 days to response to the initial email.