Twitter Whitehat Vulnerability for 2013: Flash-based XSS in Summify
On 6 May, I discovered a Flash-based XSS on Summify, a Twitter acquisition. This Flash-based XSS has its root to popular yet notoriously vulnerable ZeroClipboard plugin. The XSS bug inside ZeroClipboard is due to the following piece of ActionScript code: If you observe closely on line number 2-3, id variable is build up using external (flash) variable id which is user controllable. Now in lines 16-25 there are multiple calls made to ExternalInterface.call, which executes Javascript with origin of the page or website loading it and id variable is passed as the second parameter to it without any encoding or sanitisation. Exploitation of similar scenario has been explained very well by Soroush Dalili on his blog. Luckily enough I found this plugin on Summify website and successfully managed to execute Javascript using the XSS bug. POC:
Issue was reported to Twitter Security Team on 6th May itself and has been fixed as of 9th May. If you are looking for a ZeroClipboard fix then a patch has already been made to control the behavior to prevent XSS and can be found here Twitter has featured me on their "Security at Twitter" for 2013
P.S: The XSS bug in original ZeroClipboard project was not discovered by me. Only write-up of the issue has been written here by me for clarity.









