Messed around a bit and noticed that you can indeed post using a GET request to Twitter. This looks to be somewhat XSRF protected with a authorization token, so hopefully it's not dead simple to exploit.
However, the delete requests are just simple GETs of the form http://twitter.com/status/destroy/842624743 I just loaded that URL separately in my browser and it deleted the associated post since I was log in. It doesn't work if I try to delete other people's posts, but I *can* get their post numbers out of the HTML if I wanted to target someone. Or you could just run through random numbers and delete random posts if one matched up. Twitter was the 3rd site I tried to exploit in this manner (the joomla- running site and the phpbb-running site were thankfully both resistant to me posting using GETs). I'd say if it takes me that little time to find one... GET requests probably aren't as safe as the specs say they are. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
