mailing list archives
Twitter "swine flu" worm
From: Rosario Valotta <valotta.rosario () gmail com>
Date: Sat, 14 Nov 2009 01:41:16 +0100
Hi, up to some days ago Twitter was affected by a vulnerability that allowed
the propagation of a worm what we like to call "twitter swine flu".
The vulnerability exploited by the worm was a simple Xss injected in an
error page, but what is worth noticing here is that the error page was not a
specific one, but was (and still currently is) raised when some unmanaged
Unicode chars were included in the URL.
When you try to call a specific URL and set the path or a querystring
parameter to string containing an unsupported Unicode value (for a complete
list see: http://unicode.org/charts/PDF/U0080.pdf) the webapp raised an
http://twitter.com/%A2 --> Invalid Unicode value in parameter user
http://twitter.com/testxss/%A2 --> Invalid Unicode value in parameter id
http://twitter.com/testxss/whatever/%A2 --> Invalid Unicode value in
http://twitter.com/testxss?a=%A2 --> Invalid Unicode value in parameter a
No control was performed on valid path/parameter names.
Moreover, in the last example, the error page echoed the parameter name
without any sanitazion/encoding. This lead to XSS.
If the url
called the error page was raised and, as no validation on parameter
is performed, the script was executed and an alert was raised.
The worm we developed is just a PoC that exploited this vulnerability and:
- made the victim post arbitrary tweets
- added followers to an attacker controlled account
A video of the PoC is available at:
The XSS issue in the error page has been patched by Twitter few days after
The Unicode issue is still there.
Rosario Valotta + Matteo Carlo
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Twitter "swine flu" worm Rosario Valotta (Nov 15)