Saturday, 8 March 2014

Twitter.com Hacked Via Text Load Injection by ./BL4CK E4GL3



I found this around 2 AM last night, and it's quite suprising that twitter.com is vulnerable for Text Load Injection . Text load injection is where you're are allowed to inject text from ixData that is an indextable data type. So it will displays message as follow,


{"request":"\/i\/promoted_content\/log.json?BL4CK_E4GL3_W4S_H3RE",
"error":"Invalid event parameter provided."}
 
We will get that message by visiting the following link:
 https://twitter.com/i/promoted_content/log.json?BL4CK_E4GL3_W4S_H3RE  
 
I tried to sumbit it on Defacement Mirror like Zone-H, but I can't 
because someone already sumbitted Twitter.com to that mirror, and it was 
a FAKE defacement. WTF?