Dropsafe

by Alec Muffett

Confirmed: #XSS in #Tweetdeck reading #Facebook feeds to Web client

2011/12/20 13:19:41 GMT

UPDATE: Context and background now posted at Computerworld.

Following on from the discovery and the previous posting, see below; original content is in my feed somewhere but looks like:

<iMg Src=http://localhost/nope.gif onerror='javascript:alert("happy now ben?")'>

Twitter have had XSS bugs before, not Tweetdeck as far as I am aware – but then they used to have a proper client as opposed to a web interface.

Graham Cluley will doubtless be along shortly to tell us how [insert product name here] can protect us from all the stupid things that programmers do and fix only once.

WORKAROUND: DON’T USE THE WEB CLIENT, AND/OR REMOVE ANY FACEBOOK FEEDS FROM IT UNTIL THIS GETS FIXED. A BIT OBVIOUS, REALLY…

⊞

security

Comments

2 responses to “Confirmed: #XSS in #Tweetdeck reading #Facebook feeds to Web client”

2011/12/20

dropsafe : Faint possibility of #XSS in Web #Tweetdeck client via #Facebook? #security

[…] Confirmed. See this posting. Hat tip to @glynwintle for inspiring me to get off my arse and at least write it […]

Reply
2011/12/20

alecm

…and my former colleague Tim is a victim:
http://yfrog.com/odzhpp

Reply

Dropsafe

Confirmed: #XSS in #Tweetdeck reading #Facebook feeds to Web client

Comments

2 responses to “Confirmed: #XSS in #Tweetdeck reading #Facebook feeds to Web client”

Leave a Reply Cancel reply

More posts

UK Government King’s Speech proposes “Cyber ASBO” with obvious risk of scope creep into censorship

Don’t take away our freedom to play games when we want | 38 Degrees

‘Von der Leyen Announces the EU’s New Age Verification App Claiming it is “Completely Anonymous” & users “Cannot be Tracked”’ | …the EU is about to have its ‘Clipper’ moment

From 2019: ‘If there were 5 million “bad people” on Facebook – terrorists, criminals, drug-dealers, whatever – that would be 0.2% of the userbase’