Simon Willison's Weblog: wormshttp://simonwillison.net/2009-04-12T19:22:19+00:00Simon Willison17-year-old claims responsibility for Twitter worm2009-04-12T19:22:19+00:002009-04-12T19:22:19+00:00https://simonwillison.net/2009/Apr/12/yearold/#atom-tag
<p><strong><a href="http://www.bnonews.com/news/242.html">17-year-old claims responsibility for Twitter worm</a></strong></p>
It was a text book XSS attack—the URL on the user profile wasn’t properly escaped, allowing an attacker to insert a script element linking out to externally hosted JavaScript which then used Ajax to steal any logged-in user’s anti-CSRF token and use it to self-replicate in to their profile.
<p>Tags: <a href="https://simonwillison.net/tags/csrf">csrf</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/twitter">twitter</a>, <a href="https://simonwillison.net/tags/worms">worms</a>, <a href="https://simonwillison.net/tags/xss">xss</a></p>