Researcher Uncovers XSS Flaws In Twitter and Google Calendar

Use Netsparker


More flaws discovered in Twitter and Google Calender during the holiday season.

Once again XSS flaws have been discovered in popular web apps, but at least they were reported and not used nefariously this time.

Fixes have been issued promptly by both Google and Twitter so there is not much cause for concern this time round. But you can imagine if Nir Goldshlager could uncover these flaws – how many more are there

A security researcher uncovered some holes in Google Calendar and Twitter that may allow an attacker to steal cookies and user session IDs.

In a proof of concept, researcher Nir Goldshlager demonstrated cross-site scripting (XSS) vulnerabilities in Google Calendar and Twitter that he said could be used to steal cookies and session IDs. He also uncovered an HTML injection issue affecting Google Calendar as well that he said could be used to redirect a victim to an attack site any time the user viewed his or her Google Calendar agenda events.

Twitter issued a fix for the issue Dec. 30, and Google stated Dec. 31 it would examine the input validation process for the Google Calendar field to help address the situation.

XSS attack have become increasingly prevalent in the last few years and the power of harnessing them well is tarted to become more obvious.

When XSS attacks first emerged they were thought of as trivial, but as times have changed there is so much more information and valuable data stored online stealing someones login credentials can be enough to get a worthy stash of credentials.

According to Goldshlager, a penetration testing expert with Avnet Information Security Consulting in Israel, the cross-site scripting vulnerability can be exploited if a victim adds malicious code to his quick add post calendar.

“When the victim … [adds] this malicious code, his cookies [and] session ID will be stolen and will be sent to the attacker site,” he said. “Then the attacker will be able to get full control of the victim’s Google accounts like: Google Calendar account, Google Groups, iGoogle, etc.”

Goldshlager also demonstrated that the HTML injection vulnerability could be used to log a user out of his Google account, something the Google spokesman said “is of negligible security impact” and “can be avoided by not clicking on the link.”

“They should fix this immediately because an attacker can redirect a victim to any site that he wants, and [with] the XSS issue an attacker can steal the victim’s cookies and get full control of his accounts,” the researcher said.

At least the flaws were fixed quickly and disclosed responsibly. It’s an interesting start for the new year and honestly there’s been hardly any news for the past 3 days.

Let’s hope for an interesting year ahead and plenty of new interesting stories and tools.

Oh and of course, Happy New Year!

Source: eWeek

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , ,


Latest Posts:


BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.


One Response to Researcher Uncovers XSS Flaws In Twitter and Google Calendar

  1. brain[pillow] January 14, 2010 at 4:36 am #

    Here is another Passive XSS on twitter, found by me :)

    http://search.twitter.com/search?q=%26%2339%3B)%3Balert(%26%2339%3Bxek%26%2339%3B)%3B%2F%2F

    (& click on “Tweet these results”)

    but it is almoust useless(