Bonsai Information Security - Twitter Open Redirection Vulnerability

[Bonsai Information Security Advisories <advisories () bonsai-sec com>]

Twitter Open Redirection Vulnerability

1. Advisory Information
Advisory ID: BONSAI-2010-0108
Date published: Tue Aug 3, 2010
Vendors contacted: Twitter
Release mode: Coordinated release

2. Vulnerability Information
Class: Unvalidated Redirects and Forwards
Remotely Exploitable: Yes
Locally Exploitable: Yes

3. Software Description
Twitter is a rich source of instant information. Stay updated. Keep
others updated. It's a whole thing.

4. Vulnerability Description
An open redirect is an application that takes a parameter and redirects
a user to the parameter value without any validation. This vulnerability
is used in phishing attacks to get users to visit malicious sites
without realizing it.

5. Vulnerable packages
Twitter < Mon Aug 2, 2010

6. Non-vulnerable packages
Twitter >=  Mon Aug 2, 2010

7. Credits
This vulnerability was discovered by Nahuel Grisolia ( nahuel at
bonsai-sec.com ).

8. Technical Description
Twitter was prone to an open redirection vulnerability because the
software failed to adequately sanitize user-supplied input.
The following proof of concept is given:
Without having a valid twitter session browse to:

https://twitter.com/login?redirect_after_login=http://www.bonsai-sec.com

After a successful login, the user will be forwarded to
http://www.bonsai-sec.com

9. Report Timeline
* 2010-07-01 / Vulnerability was identified
* 2010-07-06 / First answer from Twitter.
* 2010-07-06 to 2010-08-02 / Multiple emails from Bonsai Research Team.
No answer was given.
* 2010-08-02 / Twitter sent us an email stating that the vulnerability
was patched.
* 2010-08-03 / Public Disclosure.

10. About Bonsai
Bonsai is a company involved in providing professional computer
information security services. Currently a sound growth company, since
its foundation in early 2009 in Buenos Aires, Argentina, we are fully
committed to quality service, and focused on our customers real needs.

11. Disclaimer
The contents of this advisory are copyright (c) 2010 Bonsai Information
Security, and may be distributed freely provided that no fee is charged
for this distribution and proper credit is given.

12. Research
http://www.bonsai-sec.com/en/research/vulnerability.php

13. Blog Post
http://www.bonsai-sec.com/blog/index.php/twitter-open-redirection-vulnerability/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/