slandr

Hacking Slandr: XSS and CSRF vulnerabilities patched

Last sunday I received an alarming email from Aviv Raff (@avivra on Twitter). This is what he wrote:

Slandr suffers from XSS and CSRF vulnerabilities. The m.slandr.net
search page does not encode HTML entities in the search form field,
which can allow the injection of scripts. Also, the update form on the
index.php page does not use authenticity code in order to validate
that the HTTP request post is coming from the slandr web application.
As this can be used by an attacker to create a Twitter worm, it would
be great if you can fix this vulnerability as soon as possible.

I’m going to publish information about this vulnerability as part of
“Month of Twitter Bugs” initiative …. (…)

Aviv was so kind to attach two links proofing his concept :D. After carefully analyzing his suggestions I implemented various fixes, to ensure maximum security on Slandr Mobile Twitter once again. Please note that these vulnerabilities have not been exploited.

For you tech-savvies and interested people out there: The fixes I implemented vary from using htmlentites()-encoding on more spots in the code, to token-based-solutions to check POSTs are coming from Slandr itself rather than from third pary (malicious) websites. Inspiration for the CSRF-fix came from Chris Siflett’s post on Cross Site Request Forgeries and OWASP on CSRF. At first I tried implementing the CSRF-magic fix. With this php-class only a single include protects every form against CSRF injections. A great solution to quickly safeguard your site once again however it did not go well with existing Slandr code..

So thanks once again Aviv for pointing out these weak spots in Slandr Mobile Twitter! Happy Slandring once again!

Conversations-feature in Slandr Mobile Twitter premiering at SXSW 2009

A most wanted feature which has not yet been added to the Twitter API are the ‘conversations’. Having said that I am happy to announce that from now on you DO CAN HAZ READ ‘CONVERSATIONS’ ON DZE SLANDRZ TWITTR MOBILZ!

Why is the new conversations in Slandr method so cool? Imagine a tweet like:

• roelandp: ‘@slandr yeah that would be great’.

If you would see this in your timeline this tweet wouldn’t mean a thing. Context=everything as @2525 once said.

Clicking on the new button next to that tweet (conversation bubbles), brings you to the Conversations page, where the complete threat is displayed, which contextualizes the previous mentioned example tweet:

• slandr: ‘@roelandp would you like me to give you € 10.000?’
• roelandp: ‘@slandr yeah that would be great’.

Please note that Conversations is a wanted feature on the Twitter API development list, as I can conclude from threads in the Twitter development talk group. Enabling conversations through the API  would be a great add-on for Twitter, as this is where Twitter is heading too. Ofcourse search is great for monitoring on going live events, but in depth listing of person-to-person chats is a must in the Moscow!

The ‘conversations’ implementation on Slandr is hack and only a hack. “Hacked by dope demand” -RoelandP . It is not supported by Twitter. Maybe it is even illegal, ooooh.

Happy conversationalising, Happy SXSW-ing, Happy Slandring.

Spread the word people! Slandr is the greatest mobile twitter client site out there! See you all at http://m.slandr.net