Twitter: Following a User After Favoriting Actually Follows Another User (related to #95243)

ID H1:97510
Type hackerone
Reporter ericr
Modified 2015-12-02T17:42:20



There appears to be a bug similar to #95243 which affects following a user after favoriting one of their tweets via an Intent dialog.

The following is a proof of concept:

The screen_name param submits with the favorite form and ends up getting injected into the follow param on the resulting page.

This isn't quite as bad as the previous vulnerability I found, since it requires an additional step (favoriting a tweet) to exploit. However, the impact is exactly the same as the last vulnerability, in that the user has no idea that they're actually following a completely different user.

Please let me know if you have any other questions.