[iBLISS Advisory Board] Cross-Site Scripting (XSS) Vulnerability on Twitter

[bruno () bsdmail com]

[iBLISS Advisory Board] Cross-Site Scripting (XSS) Vulnerability on Twitter


Vulnerability
Cross-Site Scripting on Search (Twitter) 


How
When you make a search (http://www.twitter.com/timeline/search?q=) and save the request, the search is NOT sanitized, 
so if you reload your home, the code typed (search) is executed.


Tested on Firefox 3.5 and IE 7.0


Timeline
Discovered                    29/11/2009
Vendor Disclosure       02/12/2009
Patched                          09/12/2009
Disclosure                      09/09/2009


Credits
iBLISS - Business Logic & Intrusion Security Specialists (http://www.ibliss.com.br/)
Rodrigo "Sp0oKeR" Montoro
Bruno Gonçalves de Oliveira

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/