Twitter: Following a User After Favoriting Actually Follows Another User (related to #95243)

2015-11-03T21:43:56
ID H1:97510
Type hackerone
Reporter ericr
Modified 2015-12-02T17:42:20

Description

Hi,

There appears to be a bug similar to #95243 which affects following a user after favoriting one of their tweets via an Intent dialog.

The following is a proof of concept:

https://twitter.com/intent/favorite/?tweet_id=661625230297821184&screen_name=ericrtest3

The screen_name param submits with the favorite form and ends up getting injected into the follow param on the resulting page.

This isn't quite as bad as the previous vulnerability I found, since it requires an additional step (favoriting a tweet) to exploit. However, the impact is exactly the same as the last vulnerability, in that the user has no idea that they're actually following a completely different user.

Please let me know if you have any other questions.