Vulnerability Allows Attacker to Delete Credit Cards from any Twitter Account
At the beginning of this month, just like other social networks, Twitter also started paying individuals for any flaws they uncover on its service with a fee of $140 or more offered per flaw under its new Bug Bounty program, and here comes the claimant.
An Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela, who have been rewarded by many reputed and popular technology giants including Google, Microsoft and Apple, have discovered a critical vulnerability in Twitter’s advertising service that allowed him deleting credit cards from any Twitter account.
Initially, Aboul-Ela found two different vulnerabilities in ads.twitter.com, but both the flaws was having the “same effect and impact.” First flaw exists in the Delete function of credit cards in payments method page, https://ads.twitter.com/accounts/[account id]/payment_methods
By choosing the Delete this card function, an ajax POST request is sent to the server. The post parameters sent in request body are:
Account: the twitter account id
ID: the credit card id and it’s numerical without any alphabetic characters
“All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and I suddenly found that credit card have been delete from the other twitter account without any required interaction,” Aboul-Ela wrote.
The page response was “403 forbbiden” but in actual, the credit card was deleted from the account.
Aboul-Ela found another similar flaw in ads.twitter.com, but according to him, the impact of the this vulnerability was higher than the previous one.
When he tried to add an invalid credit card to his twitter account, it displayed an Error message “We were unable to approve the card you entered” and serve “Dismiss” button. Clicking on the button, the credit card was disappeared from his account.
“I thought it have the same effect of deleting, so I tried to add invalid credit card again and intercepted the request,” he said.
Unlike first vulnerability, the account parameter doesn’t exists, only credit card Id is used. He modified the credit card Id in the URL and body to his credit card Id from other twitter account and then replied the request.
Guess what ? The credit card got deleted from the other twitter account. Aboul-Ela has also provided the Video demonstration as a Proof-of-concept for the vulnerability he discovered.
IMPACT OF VULNERABILITY
The Vulnerability could impact Twitter financially hard because it could be exploited easily by writing a simple python code or using a simple for loop on 6 numbers. Using it, a bad actor could delete all credit cards from all twitter accounts, resulting in “halting all the twitter ads campaigns and incur big financial loss for Twitter.”
“The impact of the vulnerability was very critical and high because all what’s needed to delete credit card is to have the credit card identifier which consists only of 6 numbers such as “220152,″ said Aboul-Ela.