Twitter Vulnerability Allows Deletion Of Payment Details


Twitter has been in the news a lot lately, firstly about their patent filing regarding the pro-active scanning on the web for malware and then the bug bounty going live – which is related to this story.

This is a pretty neat Twitter vulnerability that was discovered by someone taking part in the Twitter bug bounty program that we wrote about earlier this month.

Twitter Vulnerability

It’s not a massively dangerous vulnerability, in terms of the average Twitter user – but it could have been very disruptive to Twitter itself if undiscovered as a malicious user could have removed payment details from any account it could find the username/account ID for.

A researcher has uncovered a vulnerability on one of Twitter’s subdomains that could have been exploited to delete all the payment cards used by customers to pay for advertisements.

Companies and individuals that want to run ad campaigns on Twitter’s platform are required to add a payment card to their account. Egyptian security researcher Ahmed Aboul-Ela discovered multiple Insecure Direct Object Reference flaws that could have been leveraged by an attacker to delete the cards associated with Twitter Ads.

Aboul-Ela identified the first vulnerability after analyzing the POST request sent to the server when the “Delete this card” button is clicked. The request contained the parameters “account,” the ID of the Twitter account, and ” id,” a 6-digit number associated with the customer’s credit card. By changing the value of these parameters to one of a different account he owns, the researcher managed to delete the card.

While this method required the attacker to know the targeted user’s Twitter account ID, the second vulnerability found by the Egyptian expert is far easier to exploit.


It would be fairly trivial to write a brute force script to delete all cards from all accounts and effectively halt all Twitter advertising campaigns, which would save a lot of people money, and cost Twitter a lot of money.

But the vulnerability was disclosed responsibly and fixed two days after it being divulged to Twitter, the researcher received $2,800 for this vulnerability, which is a fairly respectable amount.

If users add invalid credit cards to their Twitter Ads accounts, they’re presented with two options: try to add the card again, or dismiss it. Dismissing a card is the same as deleting it, and the researcher soon realized that he could perform this action on valid cards already added to accounts. After analyzing the POST request, Aboul-Ela found that unlike the previous attack method, this one only required the attacker to know the 6-digit ID associated with the card.

“Imagine a blackhat hacker that could write a simple Python code and use a simple for loop on 6 numbers he could delete all credit cards from all Twitter accounts which will result in halting all the Twitter ads campaigns and incur big financial loss for Twitter,” the researcher explained in a blog post.

Aboul-Ela said Twitter addressed the vulnerabilities within two days after being notified. The company rewarded him with a $2,800 bounty.

Twitter has been running a bug bounty program on the HackerOne platform for the past three months, but at the beginning of September, the company decided to start handing out monetary rewards for researchers who contribute to making the service more secure. The minimum reward is $140, but a maximum limit has not been set. The bounty paid by Twitter to Aboul-Ela is the largest so far.

It’s good to see some interesting stuff coming out of the Twitter bug bounty program and I hope to see more, especially things like this which are pretty clever edge case scenarios that developers really wouldn’t think of addressing.

More companies should be running more effective bug bountry programs and securing them against potentially devastating attacks like this.

Source: Security Week

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , , ,


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


Comments are closed.