CSV Command Injection In Twitter

>> DOWNLOAD LINK 🎞️ #1 <<

>> DOWNLOAD LINK 🎞️ #2 <<

>> COPY / PASTE LINK PLEASE 🎵 MP3 <<

>> YOUR LINK HERE: ___ http://youtube.com/watch?v=_wl1k6aKQgI

Twitter allows users to export analytics of there tweets as a CSV file. By injecting a payload into a Tweet • an attacker could exfiltrate data or execute code on the target machine. For instance, by naming an issue -2+3+cmd|' /C calc'!D2 I am able to open up calc.exe on Windows and so on I can execute my malicious command on a Victim machine to reverse connection. • Create a new tweet with the command -2+3+cmd|' /C calc'!D2. • Now in your profile section click on View your top Tweets or visit   / tweets   (Make sure your ads account is connected and change MuhaddiMu with your username). • Click on Export Data on the top-right of the page. (I've attached that file). • Open the .CSV file on a Windows machine. • Possible Fix: • Prefix =, +, - and @ symbols with a ' in issues when exporting them to a .CSV file. • Ensure all fields are properly escaped before returning the CSV file to the user. • This report is reported to Twitter via HackerOne in October 2018. They closed this report as in informative but the problem still exists here because Excel needs to handle this. • I write more at Muhaddis.Info • LinkedIn, Twitter, Facebook, Instagram: @MuhaddiMu

#############################