Note: Addthis.com fixed this issue yesterday 26/09/12 thanks to Addthis.com team for fixing it so rapidly!
"Third party scripts are a hidden-potential security threat"Addthis.com for example provides very useful scripts to help enhancing a website with the most used social media networks. From Wikipedia: “ AddThis is a widely used social bookmarking service that can be integrated into a website with the use of a web widget. Once it is added, visitors to the website can bookmark an item using a variety of services, such as Facebook, MySpace, Google Bookmarks, Pinterest, and Twitter.”.
AddThis social plugins and analytics are used by "over 14 million sites worldwide” (2007).
You just need to “add this”:
There are many advantages in doing this:
• code will be updated by the maintainer
• bugs will be fixed silently
• … many others
Unfortunately it also hides several drawbacks:
• Security vulnerabilities in referenced scripts will affect your website
More information about DomXss vulnerabilities can be found here:
DomXss in Addthis.com Widgets
Details of the vulnerability have been temporarily omitted because the number of affected websites is huge. We did this for giving enough time to the vendor for fixing the issues (full details have been sent to firstname.lastname@example.org).
Note from 26/09: Investigating further, it seems that vulnerability is not always triggered; this may depends from the templates used
Note from 27/09: Details about the issue can be found here
Vulnerability has been found using DominatorPro, our DomXss Analyzer. Dominator is an opensource project with several extensions (some of these are commercial) and can be downloaded for free at
A temporary patch
You can make this temporary patch by configuration for protecting your website in the meantime that the vulnerable code will be fixed. Note: this patch is not for the vulnerability itself but will prevent it from being easily exploited.
To patch a vulnerable AddThis.com Widget manually populate the following property:
For more information visit:
... <div addthis:url="http://example.com" class="addthis_toolbox addthis_default_style" nbsp="nbsp"> ...