Open Redirect leak of authenticity token lead to full account take over

From Hackipedia
Jump to: navigation, search
Hackerone #49759
Target: Twitter
Target Module:
Type: Open Redirect
Original: Link
Archive Screenshot

When on Twitters mobile site viewing private messages you could choose to follow a user who you were speaking with. Using this URL

seifelsallamy found that a URL could be placed in the recipient parameter as so

Which would redirect the user to, but would further more POST the users authenticity token to the This would give opportunity to a malicious user to steal Twitter accounts.

How To Perform

  1. Find open redirect
  2. Use Wireshark or the browser's Network inspector to look for any data that is being passed to a 3rd party.