Twitter: CRLF and XSS stored on ton.twitter.com

{"id": "H1:191380", "bulletinFamily": "bugbounty", "title": "Twitter: CRLF and XSS stored on ton.twitter.com", "description": "Hey,\n\n###[1] CRLF:\nIt's similar to #52042 but weaker\nto reproduce go to:\nhttps://ton.twitter.com/1.1/ton/data/dm/x/%E5%98%8A%E5%98%8Dset-cookie%3A%20test%3Dtest%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC\n\nyou will find that `test` cookie with the value `test` has been added to your cookies\n\n###[2] XSS:\nXSS can occur by injecting a `.jpg` image \nand uploading it to twitter\nthen changing the extension from `.jpg` to `.html`\nto reproduce open messages and start a conversation \nupload this image F143743 and send it in the conversation \nopen the image source url it will look alike \n\nhttps://ton.twitter.com/i/ton/data/dm/123456789/987654321/AbCdEf.jpg:large\n\nremove the last part `:large`\nand put `%23.html`\nXSS popup box will popup\n\nhowever this image can only appear to you and to the one who you send it to because it is a private message\nand to send the message you have to follow the victim and the victim has to follow you in most cases\nand ton.twitter.com has no valuable cookies at all \nso the impact will be a phishing page or let the victim downloading a malicious software after sending the injected image on a message \n\n###CRLF + XSS:\nboth bugs separately are too weak \nbut by joining them together the impact will be much more powerful\nton.twitter.com showing the image to the one who has a valid `auth_token` cookie with a value that has the right to see the injected image \nas example the attackers' `auth_token` is valid and has the right to see the injected image\nso if the attacker injected his own `auth_token` to the victim by CRLF\nthe injected image will appear to the victim even if the victim not following you\ncausing a XSS to occur \nthe following URL will:\n[1] change auth_token value to my own `auth_token` value to make the injected image appear in your pc\n[2] will redirect you to the injected imaged\n[3] Javascript will be executed causing attacker's phishing page to appear\nhttps://ton.twitter.com/1.1/ton/data/dm/809353163740483587/809353151434330112/O5hEYiOt.jpg%2523.html%E5%98%8A%E5%98%8Dset-cookie%3A%20auth_token%3Db2868e3d5fd901a1cf4819afd147ee893f331294%3B%20Domain%3D.twitter.com%3B%20Path%3D%2F%3B%20Expires%3DSat%2C%2015-Dec-2018%2009%3A45%3A55%20UTC%3BSecure%3BHTTPOnly\n\n###Impacts\n[1] phishing\n[2] crlf injection (cookie injection & DOS may occur & cache poisoning )\n[3] under certain circumstances it may lead to bypassing CSP in https://twitter.com \n\n###POCS\nF143759\nF143760\nF143761\n\nThank you!", "published": "2016-12-15T11:41:34", "modified": "1970-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/191380", "reporter": "seifelsallamy", "references": [], "cvelist": [], "type": "hackerone", "lastseen": "2017-07-06T04:18:15", "history": [], "edition": 1, "hashmap": [{"key": "bounty", "hash": "29fa83b4b41aaa48d91ea13ba0b18875"}, {"key": "bulletinFamily", "hash": "05ada9a7482161942c43eadd60b0440c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "6dcc998185ab5b9b78620474b7dc90da"}, {"key": "h1reporter", "hash": "02ed8b049599be232fa8aa058bf49aaf"}, {"key": "h1team", "hash": "7652492d34b17c23dc2e7da6f1780460"}, {"key": "href", "hash": "1ced68149d11e909180450804d026dca"}, {"key": "modified", "hash": "fe3f171f649be7d45d9d11d3f5d45695"}, {"key": "published", "hash": "4933443e459527d934c6f5262eab2d54"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "7da2fd0335ab1fc25312ef2b08308a72"}, {"key": "title", "hash": "c4318eaf51138bc695cf245d5605f7b4"}, {"key": "type", "hash": "ec83c92514064cbcd1d6878e7bc2471a"}], "hash": "f6cbd7df8d02f7fc8ce84ac0c12e68478d9b28c683e0e4f3620ef59b2ff6dcc2", "viewCount": 0, "enchantments": {"vulnersScore": 6.0}, "objectVersion": "1.3", "bounty": 1680.0, "h1team": {"handle": "twitter", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/production/000/000/061/e78ef26a3191adcabe7311daa107bd9e152d3b5c_medium.?1439954730", "small": "https://profile-photos.hackerone-user-content.com/production/000/000/061/4acfe72859c5e9cb48a152edb4e498e13fa28df2_small.?1439954730"}, "url": "https://hackerone.com/twitter"}, "h1reporter": {"disabled": false, "hacker_mediation": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/production/000/003/804/400900931f5f9bbb690550d96771f0156a0a9dea_small.jpg?1492164268"}, "url": "/seifelsallamy", "username": "seifelsallamy"}}