Bonsai Information Security - Vulnerability Research

Twitter Open Redirection Vulnerability

1. Advisory Information

Advisory ID: BONSAI-2010-0108
Date published: 2010-08-03
Vendors contacted: Twitter
Release mode: Coordinated release

2. Vulnerability Information

Class: Unvalidated Redirects and Forwards
Remotely Exploitable: Yes
Locally Exploitable: Yes

3. Software Description

Twitter is a rich source of instant information. Stay updated. Keep others updated. It's a whole thing.

4. Vulnerability Description

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

5. Vulnerable packages

Twitter < Mon Aug 2, 2010

6. Non-vulnerable packages

Twitter >= Mon Aug 2, 2010

7. Credits

These vulnerabilities were discovered Nahuel Grisolia ( nahuel at ).

8. Technical Description

Twitter was prone to an open redirection vulnerability because the software failed to adequately sanitize user-supplied input. The following proof of concept is given: Without having a valid twitter session browse to:

After a successful login, the user will be forwarded to

9. Report Timeline

  1. 2010-07-01:
  2. Vulnerability was identified.

  3. 2010-07-06:
  4. First answer from Twitter.

  5. 2010-07-06 to 2010-08-02:
  6. Multiple emails from Bonsai Research Team. No answer was given.

  7. 2010-08-02:
  8. Twitter sent us an email stating that the vulnerability was patched.

  9. 2010-08-03:
  10. Public Disclosure.

10. About Bonsai

Bonsai is a company involved in providing professional computer information security services. Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina, we are fully committed to quality service, and focused on our customers real needs.

11. Disclaimer

The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

12. Research

13. Blog Post