Posting to Twitter CSRF on php/post_twitter_authenticate.php
Low
Vulnerability Details
Hi !
This time, i found a CSRF who can lead to arbitrary writing on twitter account of victim if they have added it to zomato :)
Coupled with a stored XSS, it could be very troublesome to you.
In the page, it seems there is no token check at all.
You can see in the video the CSRF working and here is the POC i used:
`https://www.zomato.com/php/post_twitter_authenticate.php?type=posttweet&message=Hello Zomato Team :)`
Cordially,
Kuromatae.
Actions
View on HackerOneReport Stats
- Report ID: 249234
- State: Closed
- Substate: resolved
- Upvotes: 15