Critical X Bug Enables Account Takeover with a Single Click

While the technical issue has reportedly been resolved, it is strongly advised to exercise heightened caution when interacting with any links on X.

Hacker surrounded by birds
The security incident revolved around a reflected XSS vulnerability in the X subdomain, accompanied by a CORS/CSP bypass.

Today, the pseudonymous white-hat security researcher Samczsun warned the crypto community about a bug discovered in the X platform (formerly Twitter). According to the analyst, this bug "allows hackers to gain full access to your account by simply clicking a link."

Read also: SlowMist’s Top DeFi Research: "The Basic Security Risks Are Severe"

Samczun explains that the identified bug empowers malicious actors to execute a variety of actions on the social media platform, including posting content, sharing publications authored by other users, and blocking accounts. Notably, the ability to change the password for a compromised account remains unavailable.

Samczun emphasizes that "Typically clicking a link is safe as long as you do not click anything on the page (like a 'link MetaMask' button). In this case, simply loading the page is game over," adding that the exploits of this vulnerability are "the Twitter equivalent of a Discord session stealer."

As a preventive measure, Samczun recommends the use of uBlock Origin, an ad-blocking browser extension. However, some X users dispute the effectiveness of this tool.

For users accessing Twitter on mobile browsers, where installing extensions is not possible, Samczun advises logging out and using the app.

Despite Samczun's prompt announcement of the bug's resolution approximately two hours after the initial warning, it is highly advisable to exercise extra caution. The potential victims extend beyond regular X users and may include legitimate Web3 projects, whose compromised X accounts could be exploited in subsequent phishing scams.

Read also: Web3 Exploit Losses Decrease Following November's Surge in Attacks

Vulnerability explanation

The technical summary of the bug states that "Reflected XSS in a Twitter subdomain and CORS/CSP bypass allows for arbitrary requests to the Twitter API as a locally authenticated user." The term "reflected XSS" denotes a security vulnerability that enables attackers to inject a malicious script into a web application, specifically the X platform. The "reflected" aspect indicates that the injected script is bounced off a web server and subsequently executed in the user's browser.

CORS (Cross-Origin Resource Sharing) and CSP (Content Security Policy) serve as security mechanisms, governing web browsers' control over requests for resources from different domains. These mechanisms also enforce security policies on scripts. By circumventing these safeguards, malicious actors can initiate requests to the X API from a source (domain) distinct from the origin of the web page.