If you don’t know, allows you to create Direct Messages between many twitter users also besides one to one. As a creator of DM group, you can change the name of this group anytime you want.

However,there is a limitation for renaming this group.You can only use 15 characters to rename this group, so finding a payload which fits 15 characters was challenging to have any possibility of finding XSS but thanks to hackerone old reports from twitter where one of the report had those 15 characters payload <script>alert(1);//

So whenever you/other users share anything in this group using recent conversation groups, you will see a xss popup.

The bug was fixed by and awarded me with decent bounty but i expected a little bit more as it was in main domain.

See POC here

Report here


Leave a Comment