____           _          ___       
|  _ \ ___  ___| | __ ____/ _ \ _ __ 
| |_) / _ \/ __| |/ /|_  / | | | '__|
|  _ <  __/ (__|   <  / /| |_| | |   
|_| \_\___|\___|_|\_\/___|\___/|_|   
                                     
twitter.com/Reckz0r

------------

Hello there, fine peasants, Yet. I'm here again, and this time. It's even more big, but I have no malicious intentions since I don't wanna get my ass suspended.

I located a POST SQL vulnerability on support.twitter.com in their api_general form box, the box uses a 'referrer' parameter which is vulnerable, and by that. We can inject twitter, and possibly extract confidental data from Twitter.


It seems as most 'large' websites are vulnerable to this kind of attack, including m.facebook.com which was exploited by this vulnerability by some argentinian hacker.

http://i.imgur.com/3btpI6W.png - screenshot

The vulnerability lies in http://support.twitter.com/forms/submitted?regarding=api_general - You see, there might be dozens of vulnerabilities lying in support.twitter.com. We can inject hidden boxes in this kind of atmosphere. 

cheers,
twitter.com/Reckz0r