Twitter lite(Android): Vulnerable to local file steal, Javascript injection, Open redirect
Critical
X
X (Formerly Twitter)
Submitted None
Actions:
Reported by
rahulkankrale
Vulnerability Details
Technical details and impact analysis
**Summary:** com.twitter.android.lite.TwitterLiteActivity is set to exported and doesn't validate data pass to intent due to which this activity vulnerable to steal users local files, javascript injection and open redirect.
**Description:** com.twitter.android.lite.TwitterLiteActivity is set to exported so external app can communicate with it.
As this activity doesn't validate data pass through intent critical uri like javascript and file so malicious app can steal users files as well as inject javascript.
It can leads to many issue like UXSS, Token steal, etc.
## Steps To Reproduce:
1. To reproduce we use ADB tool
2. To reproduce local file access use: adb shell am start -n com.twitter.android.lite/com.twitter.android.lite.TwitterLiteActivity -d "file:///sdcard/BugBounty/1.html"
3. To reproduce javascript injection: adb shell am start -n com.twitter.android.lite/com.twitter.android.lite.TwitterLiteActivity -d "blocked://example.com%0A alert(1);"
4. To reproduce open redirect: adb shell am start -n com.twitter.android.lite/com.twitter.android.lite.TwitterLiteActivity -d "http://evilzone.org"
* Video of POC attached.
Thanks
## Impact
As critical uri like javascript & file is not being validate malicious app can steal users session token, users files etc.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Improper Access Control - Generic