Twitter: XSS via Direct Message deeplinks

ID H1:341908
Type hackerone
Reporter 0xsobky
Modified 2019-05-09T18:03:28


Description: By using a specially crafted payload as the value of the text parameter in a Direct Message deeplink, a malicious user can inject arbitrary HTML tags and possibly run arbitrary JavaScript code on the "" origin.

Steps To Reproduce:

  1. Create a Direct Message deeplink by following the instructions on this Twitter developer guide.
  2. Use the following payload as the value for the text parameter: %3C%3C/%3Cx%3E/script/test000%3E%3C%3C/%3Cx%3Esvg%20onload%3Dalert%28%29%3E%3C/%3E%3Cscript%3E1%3C%5Cx%3E2
  3. Tweet the deeplink you created. It should look like the following:


It seems that the deployed CSP policy currently blocks the execution of arbitrary JavaScript code, however, arbitrary HTML tags can still be injection on to carry out other kinds of attacks (i.e., deanonymization attacks, phishing, etc.). While you're in the process of verifying this, I'll be working on a bypass for the CSP policy in order to execute arbitrary JavaScript.

The hacker selected the Cross-site Scripting (XSS) - DOM weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:


Verified Yes