New Vulnerability Found in Twitter, Allows Hackers to Delete Credit Cards from Twitter Account

Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela found new vulnerability in Twitter, this vulnerability will allows attackers to delete Credit Cards information from any Twitter account.

Earlier of this month Twitter announced their new bug bounty program and starts paying money for rewards, Aboul-Ela was decided to look for new bugs in Twitter and get paid.

Then started finding bugs in twitter, afer that they found csrf vulnerability that can add many followers in single request and bypass the csrf token protection but unfortunately it was duplicate issue.

They successfully found a serious logical vulnerability [insecure direct object reference] in ads.twitter.com that allowed him to delete credit cards from any Twitter account.

This vulnerability was very critical and high because all what’s needed to delete credit card is to have the credit card identifier which consists only of 6 numbers such as “220152″.

With this bug any blackhat hacker can able write a simple python code and use a simple for loop on 6 numbers he could delete all credit cards from all twitter accounts which will result in halting all the twitter ads campaigns and incur big financial loss for Twitter .

Vulnerabilities 

First vulnerability i had spotted was in the delete functionality of credit cards in payments method page

https://ads.twitter.com/accounts/[account id]/payment_methods

Researcher choose to delete credit card and press on the delete button, an ajax POST request is sent to the server like the following:

POST /accounts/18ce53wqoxd/payment_methods/destroy HTTP/1.1
Host: ads.twitter.com
Connection: keep-alive
Content-Length: 29
Accept: /
Origin: https://ads.twitter.com
X-CSRF-Token: Lb6HONDceN5mGvAEUvCQNakJUspD60Odumz/trVdQfE=
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://ads.twitter.com/accounts/18ce53wqoxd/payment_methods
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: [cookies here]
account=18ce53wqoxd&id=219643

There is only two post parameters sent in request body .

Second Vulnerability is similar vulnerability but this time the impact was higher than the previous one. When they are tried to add an invalid credit card to my twitter account it displayed an error message “we were unable to approve the card you entered” and show a button called “Dismiss”

When they pressed on the Dismiss button the credit card was disappeared from account, thought it have the same effect of deleteing, after that he tried to add invalid credit card again and intercepted the request which looks like the following :

POST /accounts/18ce53wqoxd/payment_methods/handle_failed/220152 HTTP/1.1
Host: ads.twitter.com
Connection: keep-alive
Content-Length: 108
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://ads.twitter.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://ads.twitter.com/accounts/18ce53wqoxd/payment_methods
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: [Cookies Here]
utf8=%E2%9C%93&authenticity_token=Lb6HONDceN5mGvAEUvCQNakJUspD60Odumz%2FtrVdQfE%3D&id=220152&dismiss=Dismiss

This time account parameter doesn’t exists and only credit card id is used .

Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter