Twitter: ads.twitter.com xss

2014-09-09T02:32:00
ID H1:27511
Type hackerone
Reporter arbitrarycode
Modified 2014-11-17T14:30:51

Description

Cross-Site Scripting vulnerability exists in card[name] parameter when creating/cloning a card via script https://ads.twitter.com/accounts/18ce53wrkma/cards/new?card_type=7. Here is the simple test vector: </title><script>alert(document.cookie)</script><title> After the card is created XSS becomes persistent and can be triggered via https://ads.twitter.com/accounts/18ce53wrkma/cards/show?url_id=42qj.