Twitter.com XSS!!

If you don’t know, twitter.com allows you to create Direct Messages between many twitter users also besides one to one. As a creator of DM group, you can change the name of this group anytime you want.

However,there is a limitation for renaming this group.You can only use 15 characters to rename this group, so finding a payload which fits 15 characters was challenging to have any possibility of finding XSS but thanks to hackerone old reports from twitter where one of the report had those 15 characters payload <script>alert(1);//

So whenever you/other users share anything in this group using recent conversation groups, you will see a xss popup.

The bug was fixed by twitter.com and awarded me with decent bounty but i expected a little bit more as it was in main twitter.com domain.

See POC here https://youtu.be/P2Ram2FBAS4

Report here  https://hackerone.com/reports/129436

 

Find Inactive/Deactivated profiles in Facebook

While searching for bugs on facebook, i came across one link where you can find deactivated facebook accounts.

The following link should work only to find your deactivated friends but it works for any profile on facebook.

https://www.facebook.com/ajax/friends/inactive/dialog?id=100000331676021&__user=1367024940&__a=1&__dyn&__req=1e&__rev=

 

Where “id” is the id of the victim(it can be any id of random facebook user)

and “_user” is your own facebook id

If it returns some js response, that means the profile has been deactivated. if you get blank screen , that means profile is active.

Reported this issue to Facebook but as expected, it doesn’t pose significant privacy/security risk

2015-10-14 10_13_33-Support Inbox

 

know year of Facebook joining of any person

If you see anyone’s Facebook timeline , you can see year wise posts are returned on the right side of his timeline.what if he has complete privacy setting to his timeline? still the year queries are returned even if there are no posts.

Example

2015

2014

2013

now you can easily guess that 2013 is the year when he joined the Facebook!

How to confirm this?

Consider one more person who has complete privacy to his profile whose timeline shows years later than first person

eg

2015

2014

 

Now after fixing my This issue, the friendship page returns year wise query of the person who joined earlier than other(if they have applied friend-list privacy).

i.e year wise query will be

2015

2014

2013

so this confirms the first person’s Facebook year of joining as both his timeline year query and friendship year query is same!

i reported this to Facebook but they didn’t find it severe enough to qualify for bounty.

2015-09-24 12_30_12-Support Inbox