Twitter XSRF Vulnerability - Thanks to Miley Cyrus.. ;)

If you are following Miley Cyrus on Twitter, you may notice that for last few months her maximum twits are getting censored by twitter's automatic explicit/18+ content filter.

When twitter automatically hides any explicit or 18+ content , it also shows a notification like below by which you can permanently disable that filter for your twitter account.

So when you click on that Always Display media like this hyper link, client side code sends below raw request to server.

POST /i/expanded/update_view_possibly_sensitive HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 107
Cookie: <removed>
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache


Where the CSRF token parameter name is "authenticity_token".At glance which was looking fine and quite secure. Now the interesting part was, when I removed the CSRF token from the POST request and replayed the above request, I noticed that server was accepting the request and saving changes.


This issue is fixed on 4th of September after I reported this issue to Twitter Security Team. 

Also they have added me in Twitter Security Hall of Fame :

This issue was also identified when I was testing Burpy. And the module I wrote for twitter application is available here.


  1. Question Papers for class 10th students from the MP Board are available for free download in pdf format. These question papers are based on the most recent curriculum and are available on the MP Board's official website. MP Board 10th Question Paper 2022 MP Board Question Papers 2022, MP Board 10th Question Papers 2022, MP Board class 10th Question Papers Model question papers for Madhya Pradesh Board Class 10th students are available in pdf format below.


Post a Comment