Introduction About Twitter's OAuth Integrations
Twitter is using many third party OAuth integrations like
Gmail, AOL, Outlook, Yahoo, etc. These third party integrations are used so that they can provide an easy way for their users to
Import Contacts from these sites.
eg. If an user is having many email contacts but user is new to twitter so directly importing contacts from the email service will find all his/her friends on twitter.
The Story Of The Hack
Outlook's OAuth used on twitter was deprecated. You can read about OAuth 2.0 here.
When user clicks on the
Outlook icon. The request sent looks like
redirect_uri parameter. It is set to
Now, we can change
redirect_uri to any twitter's url.
eg. any *.twitter.com was accepted as it was using a deprecated version.
Also, make note of
response_type=code. It states that twitter has implemented a
Server-side OAuth flow. After getting
code twitter makes a request to server and collects
access_token. Using this
access_token twitter imports contacts from Outlook.
So, my job was to steal
code. Attack vector to steal
code is via
referrer header. This was the most hardest job ever. As twitter uses a link shim
eg. When user posts any link on twitter then it gets converted to some link like http://t.co/anything.
When user visits the
http://t.co/anything then it redirects to the site but wait ...
It removes off
referrer header from the request. So, we cannot use it to leak
I was like
Then I noticed that any
*.twitter.com is allowed. So, it was my turn to flip the game over twitter. So, I found a page in OAuth implementation which can be used to leak
Game starts now ...!
I created an app. Now, I implemented a
Login via twitter on my own site. So, when user clicks
Login via twitter then OAuth token gets created. Simply, it looks like
When user presses
Cancel then it goes to this page. And we can use this end point to leak code.
Now, I researched more and found that once
oauth_token has been cancelled, it can still be used to leak code (Just sending it to another user.)
Now, final exploit link looks like --->
Send the above link to any random victim on the web and it will get you
code via referrer (A single click by victim is required). So, game over ...! ;)
Replies from Twitter
First they denied to accept it as a vulnerability and gave reason as
the data here is coming from somebody like microsoft instead of twitter though.
I explained the whole several times. Then they came to agree and rewarded me minimum bounty. I asked about clarification again. See the reply
They mistook this attack as victim clicking
Login via twitter from my malicious site but it was not the case. I explained them again. But they are interested in bugs like Xss, Csrf, Rce, etc.
But I am very happy with my research and discovery. So, at this time I am like