Rsnake joined twitter and did it with a bang. In about two hours, he found a XSS using a trusted domain of Twitter. Luckily, Twitter saw the tweet and it got fixed in about 90 minutes total. The crossdomain.xml has indeed been thoroughly revised. A chain is only as strong as it's weakest link.
Read this post from Ed Bellis for the details and the response from Twitter. A story with a happy end.
Robert "RSnake" Hansen is a webapplication specialist and one of the authors of the XSS book (XSS Attacks - Cross Site Scripting Attacks Exploits and Defense). You can download a zipped up version of Chapter 5 and the table of contents (free sample).
(Photo under Creative Commons from Darwin Bell's Photostream)
Thursday
How Twitter got pwned in 2 hours
Subscribe to:
Post Comments (Atom)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment