Full Report
This bug report is a doozy! It combines various vulnerability classes to create a horrifying exploit in Twitter. Twitter allows users to upload files. If a known file type is sent, then the response for the file will contain the proper Content-Type. If it's a malicious file extension, such as HTML, it's rejected though. So, what happens if the file type is not known? No Content-Type is sent! The web browser does not trust file extensions; it only likes the Content-Type. If this header is not included, it attempts to deduce the type of the file based upon the content! This is called MIME Sniffing. By sending a file with a random file type, the browser will sniff the type of it based upon the content. This allows for malicious content, such as HTML, to be included in the file that will be executed! Sadly, this was a self-attack though; we need another bug to make this hit other users. The author found out that an HTML5 AppCache manifest file can be uploaded to website. This allows a malicious user to control the caching behaviors over ton.twitter.com in the browser. What can an attacker do with this? The appcache manifest file has crazy capabilities. For instance, it can change the HTML on the page! Worse yet, it will stick in your browser, giving a user permanent XSS. Overall, a combination of MIME sniffing and clever usage of the appcache manifest file lead to permanent XSS. Pretty rad!
Analysis Summary
# Vulnerability: Permanent XSS on Twitter via MIME Sniffing and AppCache Manifest Injection
## CVE Details
- **CVE ID**: N/A (Reported via HackerOne bug bounty program)
- **CVSS Score**: Estimated 8.3 (High/Critical)
- **CWE**: CWE-430 (Deployment of Wrong Content-Type), CWE-79 (Cross-site Scripting), CWE-695 (Content-Type Sniffing)
## Affected Systems
- **Products**: Twitter (X) Web Infrastructure
- **Versions**: Legacy `ton.twitter.com` (Twitter Online Network) asset management system.
- **Configurations**: Systems allowing the upload of files with unrecognized or arbitrary extensions without a forced `X-Content-Type-Options: nosniff` header.
## Vulnerability Description
This vulnerability is a "chain" exploit involving two primary flaws:
1. **MIME Sniffing via Missing Content-Type**: When a user uploads a file with an unknown extension to `ton.twitter.com`, the server fails to provide a `Content-Type` header in the response. Browsers, attempting to be helpful, perform "MIME Sniffing" to guess the file type. By embedding HTML/JavaScript in a file with a random extension, an attacker can force the browser to execute it as an HTML document.
2. **AppCache Manifest Exploitation**: An attacker can upload a malicious HTML5 AppCache manifest file. Because of the MIME sniffing flaw, the browser treats this file as a legitimate manifest. This allows the attacker to control the caching behavior of the entire `ton.twitter.com` domain, effectively hijacking the page content and ensuring JavaScript execution persists even after the initial malicious file is removed.
## Exploitation
- **Status**: PoC demonstrated to vendor (Now resolved)
- **Complexity**: Medium (Requires chaining multiple web-standard behaviors)
- **Attack Vector**: Network
## Impact
- **Confidentiality**: High (Access to session cookies, private data on the affected subdomain)
- **Integrity**: High (Ability to modify page content and inject persistent malicious scripts)
- **Availability**: Medium (Potential to disrupt service for specific users via corrupted AppCache)
## Remediation
### Patches
- **Vendor Fix**: Twitter implemented stricter `Content-Type` enforcement.
- **Header Implementation**: The `X-Content-Type-Options: nosniff` header was applied to ensure browsers do not attempt to guess the MIME type of uploaded files.
### Workarounds
- **Browser-Side**: Modern browsers have largely deprecated HTML5 AppCache in favor of Service Workers, which have stricter security requirements (e.g., must be served with a specific `Content-Type`).
## Detection
- **Indicators of Compromise**:
- Presence of unexpected `.appcache` or manifest files on asset subdomains.
- Network responses from asset servers missing `Content-Type` or `X-Content-Type-Options` headers.
- **Detection Methods**:
- Periodic scanning of file upload endpoints for "Content-Type" bypasses.
- Security auditing of legacy subdomains (e.g., `ton.*`, `assets.*`) for permissive upload policies.
## References
- HackerOne Report: hXXps[://]hackerone[.]com/reports/168662
- MDN Web Docs on MIME Sniffing: hXXps[://]developer[.]mozilla[.]org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing
- OWASP XSS Prevention Cheat Sheet: hXXps[://]cheatsheetseries[.]owasp[.]org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet[.]html