Hacking Slandr: XSS and CSRF vulnerabilities patched

Last sunday I received an alarming email from Aviv Raff (@avivra on Twitter). This is what he wrote:

Slandr suffers from XSS and CSRF vulnerabilities. The m.slandr.net
search page does not encode HTML entities in the search form field,
which can allow the injection of scripts. Also, the update form on the
index.php page does not use authenticity code in order to validate
that the HTTP request post is coming from the slandr web application.
As this can be used by an attacker to create a Twitter worm, it would
be great if you can fix this vulnerability as soon as possible.

I’m going to publish information about this vulnerability as part of
“Month of Twitter Bugs” initiative …. (…)

Aviv was so kind to attach two links proofing his concept :D. After carefully analyzing his suggestions I implemented various fixes, to ensure maximum security on Slandr Mobile Twitter once again. Please note that these vulnerabilities have not been exploited.

For you tech-savvies and interested people out there: The fixes I implemented vary from using htmlentites()-encoding on more spots in the code, to token-based-solutions to check POSTs are coming from Slandr itself rather than from third pary (malicious) websites. Inspiration for the CSRF-fix came from Chris Siflett’s post on Cross Site Request Forgeries and OWASP on CSRF. At first I tried implementing the CSRF-magic fix. With this php-class only a single include protects every form against CSRF injections. A great solution to quickly safeguard your site once again however it did not go well with existing Slandr code..

So thanks once again Aviv for pointing out these weak spots in Slandr Mobile Twitter! Happy Slandring once again!

View everybody’s favourites!

Enabled the ‘view favourites’ functions in Slandr. Since Slandr’s launch you could already manage and view your own favourites (via Extra > Favourites). As of today you can also see the favourites of every public twitter user.

Find the favourites via the ‘single user view’ (click on a username) and click on the ‘view favs!’ link.

Happy Slandring!

TwitterCounter integrated in Slandr. How many followers do you have on Twitter?

As of today, Slandr Mobile Twitter now integrates TwitterCounter.com’s stats through their recently released API. From now on you can directly check the latest changes in a certain users’ followerscount through Slandr.

Find the TwitterCounter link on every single user page. Click on a username anywhere in Slandr to get to the single user page. Find the link ‘twittercounter’ below the person’s bio. TwitterCounter integration in Slandr is thankfully relying on the TwitterCounter API as well as on Google Chart API.

Why? Because we can! Happy Slandring!

Custom setting: avatars on or off. Save bandwidth!

As of today you can choose whether you want to show or disable the avatars in front of each tweet, potentially saving your bandwidth costs!

Go to your personal settings page, by clicking your username in the top navbar. From your userpane, click the ‘edit settings’ link, next to ‘It’s You!’. A new page will open called ‘Kustom-ice’. Under the advanced-settings you can now set your preference regarding avatar display.

Happy slandring!

Quicklaunch icon for your mobile

At wap.getjar.com you can download a so called ‘visual bookmark’, which is basically a quicklaunch bookmark for m.slandr.net nested in your phone’s apps-folder. Clicking on this bookmark opens up your device’s browser.

The Visual Bookmark is available for Windows Mobile, Blackberry, Nokia (see warning below), all other phones supporting Java/J2ME apps.

Nokia users please note: There are several reports that the .SIS installers are not working properly. The java/j2me app. works fine though!

go to the download page »>

Highlighting: it is YOU in the spotlight!

Added another minor feature today. From now on you can easily detect tweets to or about you in the main-timeline (index) or single user view, because they are now highlighted with a different background-color and have a tiny border around the tweet. Hope u like it!

Changes in top navigation

Next to the caching solution I changed the top navigation to use less space on your tiny mobile screen. Thank you @dutchcowboy and @timvandendool for your input! Please note that none of Slandr’s functions have been removed.

You can find the following subnavigation under the ‘geo’ tab:

• Geo Friends: where are the latest tweets coming from? (previously under ‘geo’-tab)
• Twitterlocal: see who else is tweeting in your hood! (previously under ‘local’-tab)
• Geo Events: lookup local events, powered by last.fm (previously under ‘events’-tab)

Under the ‘extra’ tab you’ll find these functions:

• Favourites!
• Your 100 friends/followers most recently active (previously under ‘users’-tab)
• Public timeline (previously under ‘public’-tab)
• HQ updates (previously under ‘HQ’-tab)
• About Slandr (previously under ‘HQ’-tab)
• Twitter status (previously under ‘HQ’-tab)
• FAQ (previously under ‘HQ’-tab)

fixed friendship & favoritise methods

As of friday August 1st, Twitter’s API slightly changed. For Slandr this resulted in some function-loss: Friendship/followers & Favorites management was not possible. These functionalities have now been restored. Sorry for any inconvenience, happy slandring!

Conversations-feature in Slandr Mobile Twitter premiering at SXSW 2009

A most wanted feature which has not yet been added to the Twitter API are the ‘conversations’. Having said that I am happy to announce that from now on you DO CAN HAZ READ ‘CONVERSATIONS’ ON DZE SLANDRZ TWITTR MOBILZ!

Why is the new conversations in Slandr method so cool? Imagine a tweet like:

• roelandp: ‘@slandr yeah that would be great’.

If you would see this in your timeline this tweet wouldn’t mean a thing. Context=everything as @2525 once said.

Clicking on the new button next to that tweet (conversation bubbles), brings you to the Conversations page, where the complete threat is displayed, which contextualizes the previous mentioned example tweet:

• slandr: ‘@roelandp would you like me to give you € 10.000?’
• roelandp: ‘@slandr yeah that would be great’.

Please note that Conversations is a wanted feature on the Twitter API development list, as I can conclude from threads in the Twitter development talk group. Enabling conversations through the API  would be a great add-on for Twitter, as this is where Twitter is heading too. Ofcourse search is great for monitoring on going live events, but in depth listing of person-to-person chats is a must in the Moscow!

The ‘conversations’ implementation on Slandr is hack and only a hack. “Hacked by dope demand” -RoelandP . It is not supported by Twitter. Maybe it is even illegal, ooooh.

Happy conversationalising, Happy SXSW-ing, Happy Slandring.

Spread the word people! Slandr is the greatest mobile twitter client site out there! See you all at http://m.slandr.net

Added TwitterTrends: Follow trending topics from Search, Tweetmeme and Twitturl!

Twitter is all about the realtime web. From now on you can find trending links and topics in the Slandr Mobile Twitter Client Site. Trending links are provided by Tweetmeme.com and TwittUrls.com. Trending topics are provided by Twittersearch.

Find the Trending links/urls via the menu ‘Extra > Trends’. Trending topics are displayed below the search field under the menu ‘Search’.

Thank you @Amabacha for your suggestion!

Happy Slandring!

Upload your photos to MobyPicture or Twitpic directly through Slandr mobile Twitter!

Added another feature to the ever extending featurelist of your favorite mobile Twitter browser: As of today you can accompany a tweet with a picture by using our build-in Pic & Tweet uploader.

Find the Pic & Tweet uploader by clicking the ‘extra’-tab and afterwards the ‘Pic & Tweet’ subnavigation item. Type your message and attach a photo by hitting the browse button and browse to an image on your phone. Click the ‘upload and tweet’ - button to start the transfer.

Please note that this feature might consume some bandwidth, depending on the filesize of the image you are uploading!

Election 08 on Slandr

For Election day and night I’ve just launched ‘Slandr Election’. It is an aggregator service optimized for mobile browser, showing you: the latest election related tweets from Twitter and election news provided by Yahoo and Google.

If you login to Twitter via Slandr you can also view the tweets from Obama and McCain and post your own tweets on the timeline (#E08 automatically appended).

View Twitpics directly in the timeline!

Twitpic is a popular ‘photo-to-twitter’ tool, which lets you post pictures to your twitterstream, including a link to a dedicated twitpic page with the image, and the location where the picture was taken.

As from today Slandr will automagically translate Twitpic urls to display thumbnails of the pictures, directly in your timeline. Clicking on a thumbnail will open a new page with a larger version of the Twitpicture.

By the way: Slandr offered this feature already for quite some time for two other ‘photo-to-twitter’ services: Mobypicture.com and Autopostr.com

Retweeeeeeeet!

Yes, another frequent requested feature is now live on Slandr: Retweeting! If you see one of your friends tweetings is unforgettable tweet that must be shared accross your followers, just do so by hitting the new button in the timeline which looks like a fast-forward-button.

This feature was recently requested by (amongst others) the following Slandr users: @chrsoz @tomraftery @whatleydude @paulbradshaw @ayse

Happy Slandring!

Caching is over.

We are happy to announce that thanks to a tip from @michielb (from Twitstat) Slandr no longer caches Twitter API calls. This means that every time you hit the Slandr logo you’ll get fresh tweets! If you post a tweet yourself you’ll see it immediately in the timeline! WOOOOOO!