Twitter Vulnerability Allows Deletion Of Payment Details

The New Acunetix V12 Engine


Twitter has been in the news a lot lately, firstly about their patent filing regarding the pro-active scanning on the web for malware and then the bug bounty going live – which is related to this story.

This is a pretty neat Twitter vulnerability that was discovered by someone taking part in the Twitter bug bounty program that we wrote about earlier this month.

Twitter Vulnerability

It’s not a massively dangerous vulnerability, in terms of the average Twitter user – but it could have been very disruptive to Twitter itself if undiscovered as a malicious user could have removed payment details from any account it could find the username/account ID for.

A researcher has uncovered a vulnerability on one of Twitter’s subdomains that could have been exploited to delete all the payment cards used by customers to pay for advertisements.

Companies and individuals that want to run ad campaigns on Twitter’s platform are required to add a payment card to their account. Egyptian security researcher Ahmed Aboul-Ela discovered multiple Insecure Direct Object Reference flaws that could have been leveraged by an attacker to delete the cards associated with Twitter Ads.

Aboul-Ela identified the first vulnerability after analyzing the POST request sent to the server when the “Delete this card” button is clicked. The request contained the parameters “account,” the ID of the Twitter account, and ” id,” a 6-digit number associated with the customer’s credit card. By changing the value of these parameters to one of a different account he owns, the researcher managed to delete the card.

While this method required the attacker to know the targeted user’s Twitter account ID, the second vulnerability found by the Egyptian expert is far easier to exploit.


It would be fairly trivial to write a brute force script to delete all cards from all accounts and effectively halt all Twitter advertising campaigns, which would save a lot of people money, and cost Twitter a lot of money.

But the vulnerability was disclosed responsibly and fixed two days after it being divulged to Twitter, the researcher received $2,800 for this vulnerability, which is a fairly respectable amount.

If users add invalid credit cards to their Twitter Ads accounts, they’re presented with two options: try to add the card again, or dismiss it. Dismissing a card is the same as deleting it, and the researcher soon realized that he could perform this action on valid cards already added to accounts. After analyzing the POST request, Aboul-Ela found that unlike the previous attack method, this one only required the attacker to know the 6-digit ID associated with the card.

“Imagine a blackhat hacker that could write a simple Python code and use a simple for loop on 6 numbers he could delete all credit cards from all Twitter accounts which will result in halting all the Twitter ads campaigns and incur big financial loss for Twitter,” the researcher explained in a blog post.

Aboul-Ela said Twitter addressed the vulnerabilities within two days after being notified. The company rewarded him with a $2,800 bounty.

Twitter has been running a bug bounty program on the HackerOne platform for the past three months, but at the beginning of September, the company decided to start handing out monetary rewards for researchers who contribute to making the service more secure. The minimum reward is $140, but a maximum limit has not been set. The bounty paid by Twitter to Aboul-Ela is the largest so far.

It’s good to see some interesting stuff coming out of the Twitter bug bounty program and I hope to see more, especially things like this which are pretty clever edge case scenarios that developers really wouldn’t think of addressing.

More companies should be running more effective bug bountry programs and securing them against potentially devastating attacks like this.

Source: Security Week

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , , ,


Latest Posts:


Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.


Comments are closed.