Thursday, September 26, 2013

Twitter XSRF Vulnerability - Thanks to Miley Cyrus.. ;)

If you are following Miley Cyrus on Twitter, you may notice that for last few months her maximum twits are getting censored by twitter's automatic explicit/18+ content filter.


When twitter automatically hides any explicit or 18+ content , it also shows a notification like below by which you can permanently disable that filter for your twitter account.


So when you click on that Always Display media like this hyper link, client side code sends below raw request to server.


POST /i/expanded/update_view_possibly_sensitive HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://twitter.com/MileyCyrus
Content-Length: 107
Cookie: <removed>
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

authenticity_token=88ab8ef7388e544f1c8f22d58bd0d6XXXXXXXXXX&do_show=true&scribeContext[component]=tweet


Where the CSRF token parameter name is "authenticity_token".At glance which was looking fine and quite secure. Now the interesting part was, when I removed the CSRF token from the POST request and replayed the above request, I noticed that server was accepting the request and saving changes.

BINGO!!!

This issue is fixed on 4th of September after I reported this issue to Twitter Security Team. 

Also they have added me in Twitter Security Hall of Fame : https://twitter.com/about/security

This issue was also identified when I was testing Burpy. And the module I wrote for twitter application is available here.