When an application does not validate or improperly validates file types before uploading files to the system, called Unrestricted File upload vulnerability. Such flaws allow an attacker to upload and execute arbitrary code on the target system which could result in execution of arbitrary HTML and script code or system compromise.
According to Ebrahim, when a developer creates a new application for Twitter i.e. dev.twitter.com - they have an option to upload an image for that application.
While uploading the image, the Twitter server will check for the uploaded files to accept certain image extensions only, like PNG, JPG and other extensions won't get uploaded.
But in a Video Proof of Concept he demonstrated that, a vulnerability allowed him to bypass this security validation and an attacker can successfully upload .htaccess and .PHP files to twimg.com server.
But in a Video Proof of Concept he demonstrated that, a vulnerability allowed him to bypass this security validation and an attacker can successfully upload .htaccess and .PHP files to twimg.com server.
Twimg.com is working as a CDN (content delivery network) which mean that every time attacker will upload a file, it will be hosted on a different server or subdomain of twimg.com.
In CDN's usually scripting engines are not allowed to run. So, in normal scenarios a successful Exploitation of uploading htaccess & PHP files to a server that supports the PHP i.e. Remote Code Execution on that server.
But in the case of Twitter:
- Vulnerability could be used to make twimg.com as a Botnet Command server by hosting a text file with commands, so infected machines would connect to that file to take its commands. Since twimg.com is a trusted domain by users so it won't grab the attention.
- For hosting of malicious files.
- At least it could be used to upload a text page with a defacement content and then add the infected sub-domains of twimg.com as a mirror to Zone-h.org which would affect the reputation of Twitter.
Twitter recognized the criticality of the Unrestricted File Upload Vulnerability and added Hegazy name to their Hall of Fame. I personally reached Ebrahim Hegazy that revealed me that he has also found an Open redirection Vulnerability in Twitter on 15th Sept. that has also been fixed.
I conclude with a personal consideration, it's shame Twitter hasn't a bounty program, in my opinion is fundamental to incentive hackers to ethical disclosure of the bug. An attack against a social media could have serious repercussion on the users and on the reputation of the platform, if hackers sell the knowledge of the flaw on the black market a growing number of cyber criminals could benefit from it.
I conclude with a personal consideration, it's shame Twitter hasn't a bounty program, in my opinion is fundamental to incentive hackers to ethical disclosure of the bug. An attack against a social media could have serious repercussion on the users and on the reputation of the platform, if hackers sell the knowledge of the flaw on the black market a growing number of cyber criminals could benefit from it.
