π Here is the full disclosure of the Twitter XSS + CSRF vulnerability.
Clicking a crafted link or going to some crafted web pages would allow attackers to take over your account (posting, liking, updating your profile, deleting your account, etc.)
On 12/11, @rabbit_2333 posted details about an XSS on the Twitter subdomain .
analytics.twitter.com
This XSS seems to be nothing beyond alert popper because:
1). Twitter's cookies are HttpOnly, meaning reading them using Javascript is impossible.
2). There are CSRF tokens, so no CSRF attacks.
3). Strict same site policy on , so no CSRF attacks to it. twitter.com
However, I figured out some undocumented endpoints on also support using cookies to access. This means that any XSS on subdomains of Twitter can send requests to and impersonate the user. This solves problems 1 and 3. api.twitter.com
api.twitter.com
Reverse engineering the JS code of , I found that the CSRF token is just a hash of csrf_id in the cookie. Surprisingly, the csrf_id is not HttpOnly cookie, meaning that subdomain XSS can read this csrf_id and create CSRF tokens. This solves problem 2. twitter.com
And we got the full JS exploit to chain with this XSS vulnerability!
In another word, visiting this link earlier today would take over your account: analytics.twitter.com/mob_idsync_cliβ¦
It is highly irresponsible for Twitter to ignore these security issues and not pay the whitehats. The architecture and design patterns also need to be corrected.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.