Twitter: XSS in original referrer after follow

ID H1:50134
Type hackerone
Reporter akhil-reni
Modified 2015-03-09T18:37:58


Hey hi,

There is a XSS in the intent functionality ,

Steps to reproduce

1) copy paste the following Link;

2) Click follow

3) now click return to previous site, you will see a xss triggered.


  • Make sure you pick a tweet of a user , that you don't follow.
  • to execute you need to send a null referrer.

Here is the html code to attack victims

<html> <a href="; " rel="noreferrer">click here and follow</a> </html>

a rel=noreferrer will do our work.

Regards Wesecureapp