Full Report
Recently, somebody posted about an XSS on the analytics.twitter.com domain. At first glance, this looks to be nothing more than an alert popper since the cookies are HTTPOnly, there are CSRF tokens on Twitter and the SameSite cookie flag is set to strict. Some APIs on api.twitter.com will accept cookies. So, this solves problem 1. Reading the JavaScript notes that the CSRF token is just a hash of the cookie csrf_id, which is NOT HTTPOnly. So, we can read the cookie as well. SameSite doesn't kill everything! Think about the settings of cookies and protections in place, as doing security cross a large list of sub-domains is difficult. It must be well-thought-out to ensure that compromise on one subdomain doesn't affect the rest of the website.
Analysis Summary
# Vulnerability: Twitter Account Takeover via Subdomain XSS and CSRF Bypass
## CVE Details
- **CVE ID:** Not assigned (Publicly disclosed via independent researcher)
- **CVSS Score:** 8.8 (High) - Estimated based on full account takeover capability.
- **CWE:** CWE-79 (Cross-site Scripting), CWE-352 (Cross-Site Request Forgery)
## Affected Systems
- **Products:** Twitter (X) Web Platform
- **Versions:** All versions prior to the December 2023 patch.
- **Configurations:** Systems utilizing the `analytics.twitter[.]com` subdomain and sharing session contexts with `api.twitter[.]com`.
## Vulnerability Description
The vulnerability stems from a reflected Cross-Site Scripting (XSS) flaw on the `analytics.twitter[.]com` subdomain. While the main site (`twitter[.]com`) employed modern security headers, several architectural weaknesses allowed for an escalation to full account takeover:
1. **CSRF Protection Bypass:** The platform's CSRF protection relied on a `ct0` token. Analysis of the client-side JavaScript revealed this token was a simple hash of the `csrf_id` cookie.
2. **Cookie Strategy Weakness:** While primary session cookies were marked as `HTTPOnly`, the `csrf_id` cookie was not. An attacker executing JavaScript via the XSS flaw could read the `csrf_id`, generate a valid `ct0` token, and bypass CSRF protections.
3. **Cross-Domain Interaction:** `api.twitter[.]com` accepted cookies from the analytics subdomain. This allowed the XSS on the subdomain to perform authenticated requests (posting, liking, profile changes) against the main API.
4. **SameSite Limitation:** Despite `SameSite=Strict` flags on some cookies, the shared parent domain and the nature of the XSS allowed the attacker to operate within an authenticated context once a user visited the malicious link.
## Exploitation
- **Status:** PoC Available / Disclosed by researcher (Chaofan Shou).
- **Complexity:** Medium (Requires crafting a link and social engineering).
- **Attack Vector:** Network / UI Redressing (User interaction required).
## Impact
- **Confidentiality:** High (Ability to read account data and private information via API).
- **Integrity:** High (Full account takeover: posting, deleting, and modifying account settings).
- **Availability:** Low (Does not directly target service uptime, though can delete user accounts).
## Remediation
### Patches
- **Twitter (X) Security Team:** The specific XSS endpoint on `analytics.twitter[.]com` has been patched. General security hardening was applied to the CSRF token generation logic.
### Workarounds
- **User-side:** Always log out of sessions when not in use and avoid clicking suspicious links from untrusted sources.
- **Developer-side:** Ensure `HTTPOnly` is applied to all cookies involved in security-sensitive operations (including CSRF identifiers) and implement strict Content Security Policies (CSP).
## Detection
- **Indicators of Compromise:** Unusual activity on `api.twitter[.]com` originating from the `analytics` subdomain in web logs.
- **Detection Methods:** Security teams can monitor for the reflection of script tags in URL parameters specifically targeting the analytics subdomains.
## References
- **Original Disclosure:** hxxps://x[.]com/Fried_rice/status/1734802168723734764
- **Researcher Profile:** hxxps://x[.]com/Fried_rice