Did you know you just dropped a 0day on twitter? 
-
-
Replying to @taviso
Wait... are you serious? They... actually embed the private cert somewhere? I was just laughing at the domain name.
9 replies 33 retweets 601 likes -
Replying to @SwiftOnSecurity
Yes, it happens sometimes, as soon as someone pulls out the key the CA is required to revoke it. They probably did it to avoid mixed-content warnings, as you can probably guess... it's not the correct solution. Anyone using this app is vulnerable to trivial MITM
7 replies 11 retweets 268 likes -
Replying to @taviso @SwiftOnSecurity
Interestingly, that host doesn't show up in http://crt.sh , so they didn't do the most convenient common bad thing.
3 replies 1 retweet 57 likes -
Replying to @ericlaw @SwiftOnSecurity
I pulled out the certificates here, they do seem valid at first glance, not sure why they didn't get logged in CT.
https://pastebin.com/F8UD8Ypb 3 replies 1 retweet 121 likes -
1 reply 0 retweets 81 likes -
Replying to @SwiftOnSecurity @ericlaw
It seems like Atlassian are a CVE CNA, you can ask them to assign a CVE if you like! (seriously, this is a real vulnerability) https://cve.mitre.org/cve/request_id.html#a …
4 replies 9 retweets 157 likes -
Any time a stock web browser connects to localhost using HTTPS and doesn't complain about an invalid certificate, your vulnerability spidey senses should be tingling.pic.twitter.com/A04AGNwQSo
1 reply 1 retweet 7 likes -
Note that Microsoft Edge is apparently quite speedy at picking up that the certificate has been revoked. Google Chrome seems to be fine with it at the moment.pic.twitter.com/5G6vw9zvdo
2 replies 2 retweets 5 likes -
Also note that this private key isn't too terribly tricky to find. A simple grep in the installed software directory would suffice.pic.twitter.com/iTqtU6EYgb
1 reply 2 retweets 6 likes
I suspect that's OCSP, but that doesn't mean very much - an attacker can just drop the queries unless Edge hard fails (which would be very surprising), see this link https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Criticisms …
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.