WHID 2009-4: Twitter Personal Info CSRF

Gareth Heyes (and others) reported an interesting vulnerability in Twitter last week. While his post included a proof of concept code, it does not qualify as a hack only a vulnerability disclosure and the Web Hacking Incident Database does not list vulnerabilities.

Luckily CoolGiorgio Maone decided to create his own proof of concept, run it himself and provide us with the result, enabling me to label this as a hack

By exploiting a CSRF bug in twitter (or maybe a feature?) site owners can get twitter profiles of their visitors. For Twitter this is a second this year and now the comprise 50% of the web incidents for 2009. Is this going to be the year of Web 2.0 security?


Incident Outcome: