Hacker Reckz0r, who recently breached CNN’s Web site, yesterday announced that he’d found a POST SQL injection vulnerability on Twitter’s support Web site, but had “no malicious intentions” to exploit the flaw (h/t Cyber War News).
“I located a POST SQL vulnerability on support.twitter.com in their api_general form box, the box uses a ‘referrer’ parameter which is vulnerable, and by that. We can inject twitter, and possibly extract confidental data from Twitter,” the hacker wrote in a Pastebin post. “It seems as most ‘large’ websites are vulnerable to this kind of attack, including m.facebook.com which was exploited by this vulnerability by some argentinian hacker.”
“The vulnerability lies in http://support.twitter.com/forms/submitted?regarding=api_general – You see, there might be dozens of vulnerabilities lying in support.twitter.com,” the hacker added. “We can inject hidden boxes in this kind of atmosphere.”