Twitter

Date: 2010-09-26

Twitter allowed to post a tweet using a HTTP GET request.

There was no CSRF check for posting a tweet this way. The attacker created a worm which posted itself on the users timeline when the users saw and clicked the malicious tweet in their feed.

Related evaluation points:

• Cross-site request forgery (CSRF)

Links:

• CSRF attack strikes Twitter
• Don’t Click The WTF Link On Twitter Unless You DO Like Sex With Goats