Samy did an excellent presentation on how he carried out.
- PHP session hijacking via smart bruteforce guessing of PHP session cookies through the analysis of PHP source code
- Cross Protocol Scripting, XPS, (Fooling browser into thinking a malicious web site connects to HTTP servers which in fact connects to arbitrary to SMTP/IRC, whatever an attacker ask it to). A DCC, http://en.wikipedia.org/wiki/Direct_Client-to-Client, ( trick was used in POST data.
- NAT Pinning through XPS (XPS makes browser think victim connecting to another HTTP server and nat-ed/firewall routers think user connecting to IRC server [which makes routers to allow connections from that IRC server connect-back attempt] )
- Using image onerror techniques to identify user routers
- Once identified, attempting to login user router using default username and password via Iframe
- Once logged-in, attempting to get router MAC address via XSS flaw in user's router
- Once got MAC address, identify user location via Google Location Services (http://samy.pl/mapxss/)