It’s Seif Elsallamy here, I have been away for a while, I really miss doing the stuff i’m good at, Yes breaking things, here take a look at my old posts.
I’m back again to all of you with a cool denial of service bug I’ve discovered in Twitter but before diving in the technical details let us go through some terms to have a full understanding of what we are talking about here.
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.
I was trying to find XSS on Twitter mobile site but my plans didn’t work out, After I logged in, I opened a conversation with my self and start sending/fuzzing various payloads.
Here are some notes of the behavior i faced during the fuzz:
I noticed that when you’re sending any link on Twitter, Twitter is generating a link via its own link shortener service which uses the well known “t.co” domain then redirecting you to the link of the final destination you already sent, that’s actually normal it’s just tracking links, checking for unwanted content or filtration and prevents open redirection something similar to Linkshim protection system that Facebook uses. However when you’re sending a link (on Twitter’s mobile site) belongs to one of the following Twitter domains “twitter.com” or “mobile.twitter.com” It doesn’t generate the above mentioned “t.co” links hmmm!
So my theory was to find an XSS on Twitter by loading a URL from inside twitter via sending a message with a URL belongs to twitter itself and contains variables.
In other words (just for illustrating)
going to https://mobile.twitter.com/?'"><img/src=x/onerror=alert(1)>From outside Twitter won’t trigger an XSS, but from inside Twitter it might trigger an XSS because it loads in a different way.
One of the XSS payloads that I sent had the following Unicode character "%u003e" it caused an error I can no longer see any messages on the conversation!! hmmm so interesting BUT WHY?!
This string is a hexadecimal unicode%u003e means > but Twitter couldn’t handle/load it, So I tried a URL contains %xxeg. https://mobile.twitter.com/%xx and it triggered the same error. (%xx is not a valid hexadecimal value) So Twitter was trying to find a value for %xx but it couldn’t so it raises an error every time you’re calling this url.
So now lets copy and paste this URL and post it in a form of a tweet; You can guess now what will happen? I can see your eyes blinking and shining hmm isn’t it?
Result: BOOM, I’ve prevented literally all my followers from loading ANY new tweets. So now I only have one annoying problem, which is > (Twitter’s mobile site).
Unfortunately this bug doesn’t work on Twitter’s main website it only works on the mobile site version, But after a little research I found a URL to switch the “main site version” to the “mobile site version” aka the Twitter UI!
Twitter was trying a new beta UI on the main site that you can switch to and from it freely, just click on your profile picture and click try the new Twitter and that’s it, you will be switched to a GUI looks exactly as the Twitter mobile site UI. Time to see all the blah blah we were talking about in action…
This bug has been reported to twitter team and fixed the bug and you can find the original URL on HackerOne Platform here: https://hackerone.com/reports/500686 Thanks everyone for your time and till the next one…
A minute if you please!
Building a website, API, an application or dealing with any kind of sensitive information? Anything related to the security and Safety of your business? Or already launched one without considering security? Worried about your personal security? Think twice before going public and let us protect your business!