Twitter: XSS on OAuth authorize/authenticate endpoint

2015-09-02T15:24:28
ID H1:87040
Type hackerone
Reporter filedescriptor
Modified 2015-11-20T18:49:04

Description

Hi, I would like to report an issue where certain endpoints on twitter.com and api.twitter.com is vulnerable to XSS.

Detail

The redirection page after authorization/authentication does not sanitize the oauth_callback parameter.

PoC

  1. Go to http://innerht.ml/pocs/twitter-oauth-xss (Please use IE or something that hasn't implemented CSP)
  2. Click on Authorize app
  3. Alert pops up

Note: it also affects api.twitter.com as they both have the same endpoints

Repo step

  1. Obtain the request token (https://api.twitter.com/oauth/request_token) where parameter oauth_callback contains HTML like javascript%3A%2F%2F"><script>alert(document.domain)</script>
  2. Redirect the victim to the authorize/authenticate page with the token