Twitter XSS POC :
- Flash must be active on your browser
- Tested on Windows with Firefox/IE 11/Edge
- For Chrome go to https://opnsec.com/twitter/photo-chrome.html
1. Click here
and save the XSS.png file to your computer
2. Click inside the red rectangle below and select the XSS.png file you just saved on your computer (you might need to click twice on the rectangle to activate Flash if using Edge)
4. If you are logged in twitter.com, the payload will post a tweet from your account (
Hello @opnsec :)
), you can verify that on twitter.com
Technical details :
is a Flash file used to upload picture. However, if we select a Flash file instead of an image file, the Flash file will execute its Flash code.
This injected Flash code will execute in the same security sandbox than the Twitter file, because it is loaded via
In addition, the injected Flash file can perform CSRF action like posting a tweet via
lc = new LoaderContext();
lc["allowCodeImport"] = false;
This will prevent the loaded file to execute Flash code.
My takeway :
Twitter responded to my report fairly quickly,
However they decided that the vulnerability required exceedingly unlikely user interaction (which I agree) and that Flash was obsolete (fair enough) and choose not to fix the issue.
Given the fact that the issue is very easy to mitigate, that Flash is still supported by modern browsers and that XSS is critical for a social website, I was a little bit disappointed by their decision.
This is an opportunity to show the public how an XSS attack works live on a major website and I hope this was instructive!
Notification & Disclosure Timeline :
March 17th 2017 :
Reported to Twitter Security Team via HackerOne
March 27th 2017 :
Twitter responded that the bug requires unlikely user interaction and decided not to fix it
April 21th 2017 :
Sent an easy mitigation code to Twitter in case they decided to fix it anyway
June 5th 2017  :