Twitter: [Stored XSS] - profile page

ID H1:36986
Type hackerone
Reporter xorb
Modified 2015-03-26T22:34:57


Stored XSS via API request: While creating new account in Windows mobile app, i noticed this request:

PUT /users/1147563919679037440 HTTP/1.1

it seems that the variable username is not properly filtered, just set username to e.g. <svg/onload=alert()> and see result on your profile in vine web site.