I know what your friends did last summer

I did report this to Twitter a few weeks ago, but now that Chris Heilmann has let the cat out of the bag I'll post my repro now. Basically Twitter JSON security is leaking data, the JSON feeds that are publically available shouldn't be IMO or at least protected using known methods.

So if you use Twitter a web site can know who you are and who your friends are. Spammers could you this data to automate targeted spamming attacks or maybe automated social engineering, you're more like to open a email attachment off your friends right?

The attack works by including the JSON data using a script tag on any web site, using setters you can get the data of the JSON feed in every browser except IE (in my testing).

<pre lang="javascript"> &lt;script&gt; Object.prototype.__defineSetter__('user',function(obj){for(var i in obj) {alert(i + '=' + obj[i]);} }); &lt;/script&gt; &lt;script defer=&quot;defer&quot; src=https://twitter.com/statuses/friends_timeline/&gt; &lt;/script&gt; </pre>

Originally I thought it was a bug in Firefox, that's why I've used Object.prototype and not simply Object but I found a post by Joe Walker which uses a far better technique to grab all the data.

Here is the proof of concept to prove I do know what your friends did last summer:- twitter json hack