While researching web authentication vulnerabilities, I came across a fascinating case study that demonstrates how a tiny implementation flaw can compromise an entire authentication system. This wasn’t a complex cryptographic break — it was a simple regex mistake in Twitter’s “Sign in with Digits” feature that allowed complete account takeover.
Press enter or click to view image in full size
The Vulnerability: When a Dot Becomes a Wildcard
The issue was in Twitter’s Digits SDK, specifically in how it validated message origins between the authentication service and client websites. The vulnerable code looked like this:
onReceiveMessage: function(t) {
this.config && -1 !== this.config.get("sdk_host").search(t.origin) && this.resolve(t.data)
}At first glance, it seems like it’s checking if the message origin matches https://www.digits.com. But there's a critical flaw in how JavaScript's String.prototype.search() works.
The Devil in the Details:
search()converts its parameter to a regular expression- In regex, dots (.) match any single character
- So
"https://www.digits.com".search("www.d.gits.co")actually returns a match position…