Date: 2010-09-26

Twitter allowed to post a tweet using a HTTP GET request.

There was no CSRF check for posting a tweet this way. The attacker created a worm which posted itself on the users timeline when the users saw and clicked the malicious tweet in their feed.

Related evaluation points: