Twitter XSS POC :

Prerequisites :

- Flash must be active on your browser
- Tested on Windows with Firefox/IE 11/Edge
- For Chrome go to https://opnsec.com/twitter/photo-chrome.html

Instructions :

1. Click here and save the XSS.png file to your computer
2. Click inside the red rectangle below and select the XSS.png file you just saved on your computer (you might need to click twice on the rectangle to activate Flash if using Edge)

3. The javascript payload executes on https://twitter.com
4. If you are logged in twitter.com, the payload will post a tweet from your account (Hello @opnsec :)), you can verify that on twitter.com

Technical details :

https://twitter.com/flash/1/PhotoHelper.swf is a Flash file used to upload picture. However, if we select a Flash file instead of an image file, the Flash file will execute its Flash code.
This injected Flash code will execute in the same security sandbox than the Twitter file, because it is loaded via Loader.loadBytes().
https://twitter.com/flash/1/PhotoHelper.swf is loaded in an iframe, so the injected Flash file can execute javascript on https://twitter.com via ExternalInterface.call("alert(document.domain+' XSSed')");
In addition, the injected Flash file can perform CSRF action like posting a tweet via URLoader.load(new URLRequest("https://twitter.com/"));

Mitigation :

In https://twitter.com/flash/1/PhotoHelper.swf
replace
loader.loadBytes(data);
By
lc = new LoaderContext();
lc["allowCodeImport"] = false;
loader.loadBytes(data, lc);

This will prevent the loaded file to execute Flash code.

My takeway :

Twitter responded to my report fairly quickly,
However they decided that the vulnerability required exceedingly unlikely user interaction (which I agree) and that Flash was obsolete (fair enough) and choose not to fix the issue.
Given the fact that the issue is very easy to mitigate, that Flash is still supported by modern browsers and that XSS is critical for a social website, I was a little bit disappointed by their decision.
This is an opportunity to show the public how an XSS attack works live on a major website and I hope this was instructive!

@opnsec

Notification & Disclosure Timeline :

March 17th 2017 : Reported to Twitter Security Team via HackerOne
March 27th 2017 : Twitter responded that the bug requires unlikely user interaction and decided not to fix it
April 21th 2017 : Sent an easy mitigation code to Twitter in case they decided to fix it anyway
June 5th 2017   : Public disclosure