A Security Researcher, Prakhar Prasad , has dicovered a Cross-site request forgery(CSRF) Vulnerability in the Twitter Translation Center (translate.twttr.com) that allows attacker to Change Badge and Notification Settings.
The "Account Settings" page of Twitter Translation center has two options; First one toggles the Twitter Badge setting on Twitter.com and second one toggles the badge related notification.
When a user click the Save changes button, it will send a post request to server. In the post content, there is parameter 'authenticity_token'.
Normally, to prevent CSRF attacks, authenticity_token needs to be verified on server-side but twitter team failed to verify the authenticity_token. It results in CSRF vulnerability..
Researcher sent notification to Twitter Security Team with a proof-of-concept. The Twitter immediately replied and said the team is investigating the issue.
The vulnerability has been fixed on 16th october; Now authenticity_token gets checked on the server-side . Any modification to the token results in an error page.
