Information
Thereβs an HTML Injection Vulnerability exists in Twitter main signup page which can be used by attackers to display personally crafted messages to twitter users for different malicious purposes. Affected parameters invite_code=
& invite_name=
.
Steps to reproduce:
invite_code=
parameter along with any random value. I have used []
in my below POC.invite_name=
parameter. A user may even be prompted to visit a malicious link. Refer the final POC link. (Please Note: The reported vulnerability successfully works only when both parameters are used in conjunction with each other.)Screenshot
Attached to this report
Final POC
[Refer this link](https://twitter.com/signup?invite_name=, itβs official. Twitter will start charging USD 4 per month from January 2015. However if you donate a one time amount of USD 10 to Twitter then your account will be considered as verified and twitter will be free for you. You can donate the amount directly to Twitter paypal address ([email protected]). However if you wish to proceed without making donation then a monthly amount of USD 4 will be charged to your account beginning January 2015. [Read More: http://t.co/rdj3TZV])
Let me know if i missed anything or any further information is required.