Today and tomorrow, there’s a popular conference here in Germany that deals with Web2.0, called next07 from the German multimedia agency SinnerSchrader. As cool as in the term Web2.0, their partner cellity set up a twitter account which will be regularly displayed via a beamer live at the conference. Attendees and non-attendees can then twitter their messages to this account when adding themselves as a group/friend.
I stumbled upon a blog entry (I’m not at the conference) that tells us to watch the live twitter feed. While having a look at it, I had the telephone conference from today in mind. If you look at the screenshot, you see somebody posting a tinyURL link. While tinyURL is a very good service, it could be used to hide XSS prepared links so that you can’t see at a first glance that it might be a malicious link. Luckily, the link from the screenshot points to a PR website.
So, how does it harm users? The goal for an XSS attacker is to trick you into clicking on a link he sends you. This could either be via (HTML) e-mail, or via popular services like twitter. If I would be an attacker and I would know that a lot of people are very active members of (insert your favourite social network here).com, permanently logged in, and are also very active members of such a popular messaging service like twitter, the users could be harmed very easy by posting a message to a service like twitter with a prepared URL. The nature of the „Web2.0 crowd“ is that they are constantly and very actively consuming URLs/information without thinking about where they are clicking. So this would be a very effective distribution channel of XSS links.
Of course, there may be other and more easier ways to foist a link to users (for example, the same goes for posting short links or prepared images in forums), but as twitter is currently a service that gets a lot of hype, it could be used for such Second Order Attacks very easy (somebody remembers the popular XSS worm on MySpace some years ago?).
twitter by default seems to turn all links into links via the tinyurl service.
hopefully they do some xss checks before they ever send off the link to tinyurl in the first place.
You could just use the tinyurl preview feature http://tinyurl.com/preview.php which means that you get to see the url as a link rather than target page. It requires a cookie to be set, but it works well.