



account

&id

So Aboul-Ela wrote, “All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and I suddenly found that credit card have been delete from the other twitter account without any required interaction,”

The page response was “403 forbbiden” but in actual, the credit card was deleted from the account.





The second vulnerability was similar to the first one but this one have the high impact then previous one. When he tried to add an invalid credit card to his twitter account, it displayed an Error message “We were unable to approve the card you entered” and serve “Dismiss” button. Clicking on the button, the credit card was disappeared from his account.





Now this time request made with the following parameters-

utf8=

&authenticity_token=

&id=

&dismiss=





This time account parameter doesn't exists and only credit card id is used. He modified the credit card Id in the URL and body to his credit card Id from other twitter account and then replied the request. By sending this modified request the credit card got deleted from the other twitter account.





For demonstrating this vulnerability Aboul-Ela have published a POC video-

Just a month before micro blogging site Twitter have started its bug bounty program, a program that have helped many firm, organisation in related to the security concerns. After the disclosure program, security researcher started testing Twitter in an ethical manner. And now a researcher came with its great bug finding.An Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela, haveThere were two vulnerability that Aboul-Ela had discovered but both of them have the same impact. Both vulnerability was addressed on twitter ads page (ads.twitter.com). The first vulnerability was spotted in thefunctionality of credit cards in payments method page, https://ads.twitter.com/accounts/[account id]/payment_methodsBy choosing the Delete this card function, an ajax POST request is sent to the server. On the request there was two parameters that to be noticed-. Here Account is users twitter account id and Id refers to the credit card id and it’s numerical without any alphabetic characters.