Month Of Twitter Bugs - Twitterfall XSS

`Wednesday, July 8, 2009  
  
MoTB #08: DOM Based XSS in Twitterfall  
  
What is Twitterfall  
"Twitterfall is a way of viewing the latest 'tweets' of upcoming trends and custom searches on the micro-blogging site Twitter. Updates fall from the top of the page in near-realtime.." (Twitterfall home page)  
  
  
Twitter affect  
Twitterfall can be used to send tweets, replies or follow other twitter users.  
Twitterfall is using OAuth authentication method in order to utilize the Twitter API.  
  
  
Popularity rate  
22nd place according to "The Museum of Modern Betas". 18th place according to compete - 3.5 twits  
  
  
  
Vulnerability: DOM Based Cross-Site Scripting in the main page.  
Status: Patched.  
Details: The Twitterfall main page did not encode HTML entities in the "trend" variable before evaluating it in JavaScript. This could allow the injection of scripts, which could have been used by an attacker to send tweets on behalf of its victims. The older site of Twitterfall (old.twitterfall.com) was also vulnerable to the same issue.  
  
Proof-of-Concepts:  
http://www.twitterfall.com/?trend=%3Cimg/src%3D"."/onerror%3D"alert('xss')"%3E  
http://old.twitterfall.com/?trend=%3Cscript%3Ealert("XSS")=%3C/script%3E  
  
  
  
  
Vendor response rate  
The vulnerabilities were fixed 3 hours after they were reported.   
`