Wednesday, May 22, 2013

SQLi Exposed on Twitter Support #LulzVulnerabilities



 SQLi Vulnerability Exposed on Twitter Support

We have located a POST SQL vulnerability on support.twitter.com in their api_general form box, the box uses a 'referrer' parameter which is vulnerable, and by that. 
We can inject twitter, and possibly extract confidental data from Twitter.


It seems as most 'large' websites are vulnerable to this kind of attack, including m.facebook.com which was exploited by this vulnerability by some argentinian hacker.
 


The vulnerability lies in:

http://support.twitter.com/forms/submitted?regarding=api_general 

You see, there might be dozens of vulnerabilities lying in support.twitter.com
We can inject hidden boxes in this kind of atmosphere.