Month Of Twitter Bugs - HootSuite XSS

`Thursday, July 2, 2009  
  
MoTB #02: Reflected XSS in HootSuite  
  
What is HootSuite  
"HootSuite is the ultimate Twitter toolbox. With HootSuite, you can manage multiple Twitter profiles, add multiple editors, pre-schedule tweets, and measure your success. HootSuite lets you manage your entire Twitter experience from one easy-to-use interface." (HootSuite about page)  
  
  
Twitter affect  
HootSuite can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.  
HootSuite is using Username/Password authentication in order to utilize the Twitter API.  
  
  
Popularity rate  
27th place in the Top 100 Twitter Services, according to “The Museum of Modern Betas” - 3.5 twits  
  
  
Vulnerability: Reflected Cross-Site in the “add-acount” page.  
Status: Patched.  
Details: The HootSuite "add-account" page does not encode HTML entities in the "pageMode" variable, which can allow the injection of scripts.  
  
This vulnerability could allowed an attacker to send tweets, direct messages and to follow/unfollow others on behalf of its victims. Proof-of-Concept: http://hootsuite.com/twitter/add-account?height=240&width=280&modal=true&pageMode=xxx%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E  
  
  
Vendor response rate  
Vulnerability was fixed two hours after it has been reported.   
`