var el1 = document.createElement(’iframe’);
var el2 = document.createElement(’iframe’);
el1.src = “http://twitter.com/share/update?status=WTF:%20″ + window.location;
el2.src = “http://twitter.com/share/update?status=i%20love%20anal%20sex%20with%20goats”;
The code snippet above appears to affect only certain Windows-based browsers. Apparently if you have Chrome on Linux you may not be affected.
The tweet starts with “WTF”. So avoid that link.
To See some of the remarks about this tweet go here. (Note: it is safe to view, but may be embarrassing. )
How it Works
That WTF link opens two iframes. But It doesn’t technically hack your Twitter account. Instead it uses your logged in browser session to tweet. From a security format, this is called “cross-site request forgery”.
Cross-site request forgery, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. This is unlike cross-site scripting (XSS), which exploits the trust that a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.
The exploit is actually easy – the main ingredients are:
- Twitter allowing updates through the API via IFRAMES and GET thus being vulnerable to CSRF attacks
- PasteHTML.com being vulnerable to render code without a secure site around it and executing it
- Clients or Twitter automatically applying the t.co link shortener
The code is nothing special. You create two SCRIPT files that point to the twitter update API and send a request to do a post.Then as the user who clicked on the malicious link is authenticated with Twitter you can send them to the site on his behalf. This is the same trick that worked for the “Don’t click this button” exploit.
Source Social Media