Twitter-Clone 1 Cross-Site Request Forgery via tweetdel.php

Vulnerability

Twitter-Clone 1 (all versions up to 1.0) contains a cross-site request forgery (CSRF) vulnerability in tweetdel.php. The endpoint lacks any CSRF token or origin validation, making it possible for an attacker to craft malicious HTML forms that, when submitted by an authenticated victim, delete arbitrary posts. The affected code is in the tweetdel.php file, which accepts a tweet ID via POST parameters and deletes the corresponding post without verifying the request's authenticity [1][2].

Exploitation

An attacker can exploit this vulnerability by hosting a hidden HTML form that targets tweetdel.php with a specific tweet ID. The form is automatically submitted using JavaScript (e.g., document.forms[0].submit()). The victim must be logged into Twitter-Clone 1 and visit the attacker-controlled page. No additional privileges or network position beyond standard web access are required [2][3]. The attacker can set the tweet ID to any existing post, including those of the victim or other users, as long as the victim has permission to delete it (typically their own posts) [2].

Impact

A successful CSRF attack allows the attacker to delete arbitrary posts from the victim's account. This results in a loss of data integrity and can cause denial of service by removing important content. The attacker does not gain any elevated privileges or access to sensitive information beyond the ability to delete posts [2].

Mitigation

As of the available references, no official patch has been released for Twitter-Clone 1. The project appears unmaintained (last commit in 2018) [1]. The recommended mitigation is to implement CSRF tokens in tweetdel.php and validate them on every POST request. Alternatively, site administrators can restrict the endpoint to only accept requests with a valid Referer header or use same-site cookies. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2].