Search This Blog

CSRF Vulnerability in Twitter Translation Center

csrf vulnerability exploit

A Security Researcher, Prakhar Prasad , has dicovered a Cross-site request forgery(CSRF) Vulnerability in the Twitter Translation Center (translate.twttr.com) that allows attacker to Change Badge and Notification Settings.

The "Account Settings" page of Twitter Translation center has two options; First one toggles the Twitter Badge setting on Twitter.com and second one  toggles the badge related notification.

When a user click the Save changes button, it will send a post request to server.  In the post content, there is parameter 'authenticity_token'.

Normally, to prevent CSRF attacks, authenticity_token needs to be verified on server-side but twitter team failed to verify the authenticity_token.  It results in CSRF vulnerability..

Researcher sent notification to Twitter Security Team with a proof-of-concept. The Twitter immediately replied and said the team is investigating the issue.

The vulnerability has been fixed on 16th october; Now authenticity_token gets checked on the server-side . Any modification to the token results in an error page.

Share it:

CSRF vulnerability

Vulnerability