Internet Explorer 8 | Arbitrary Sites allowed to tweet

2 Replies

A new vulnerability and Proof Of Concept (PoC) code has been posted to the Full Disclosure mailing list. Chris Evans says:

A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix. The bug permits — for example — an arbitrary web site to force the victim to make tweets.

A harmless example has also been posted on his site (see below) 

http://scary.beasts.org/misc/twitter.html

This bug appears to be strictly related to Internet Explorer and no fault of Twitter. At this time there does not appear to be a resonable workaround.  This appears to be a Cross-origin CSS attack which uses the style sheet import to steal confidential information from a victim website, hijacking a user’s existing authenticated session.

Chris continues to state that there is evidence to suggest that Microsoft has been aware of this since at least 2008.

Update: another PoC has been posted:

http://skeptikal.org/exploits/twitter/twitter_xss.html

 

How long do we have to wait for a fix?

You can protect yourself by using NoScript, RequestPolicy, or other client-side protections.

2 thoughts on “Internet Explorer 8 | Arbitrary Sites allowed to tweet

  1. Pingback: Tweets that mention Internet Explorer 8 | Arbitrary Sites allowed to tweet -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>