Weird script tries to auto-validate the Web Intent form


#1

Hi,

A colleague of mine has a weird issue with web intents. When he loads a web intent link (retweet, favorite…), eg this one from the @twitter account:

https://twitter.com/intent/retweet?tweet_id=395264042454888448

Then the formulary is automatically approved! After close inspection, it appears than we he does the query, a wild code block is injected, right before the “begin Google analytics” tag:

Does anyone encountered this before? Where does it come from, a local malware, or a condition in the template that generates the page?
What is surprising is that is very “accurate” (a match on the ‘retweet_btn_form’ id. It’s not a random guess or mistake, the rogue script really wants to auto-retweet without asking for user’s permission)

He tested and has the issue on Chrome (no plug-ins) and Firefox, both on Windows.
Personally I tried to reproduce it on my machine (with my own user account) but without success.

Thanks,
Julian (France)


#2