Twitter.com XSS!!

If you don’t know, twitter.com allows you to create Direct Messages between many twitter users also besides one to one. As a creator of DM group, you can change the name of this group anytime you want.

However,there is a limitation for renaming this group.You can only use 15 characters to rename this group, so finding a payload which fits 15 characters was challenging to have any possibility of finding XSS but thanks to hackerone old reports from twitter where one of the report had those 15 characters payload <script>alert(1);//

So whenever you/other users share anything in this group using recent conversation groups, you will see a xss popup.

The bug was fixed by twitter.com and awarded me with decent bounty but i expected a little bit more as it was in main twitter.com domain.

See POC here https://youtu.be/P2Ram2FBAS4

Report here  https://hackerone.com/reports/129436

 

Leave a Comment