This article is more than 1 year old

Credit card cutting flaw could have killed EVERY AD on Twitter

Party-pooper gets $2800 for ad-busting bug

Twitter has patched a flaw in its service that allowed unauthorised users to delete every credit card from all accounts, potentially relieving the company of its advertising revenue, security researcher Ahmed Aboul-Ela says.

The attacks worked through a direct object reference vulnerability and involved the manipulation of number sequences in URLs.

Aboul-Ela said he discovered two flaws that when combined with a script could be used to kill all stored credit cards from all accounts.

"The impact of the vulnerability was very critical because all that is needed to delete credit cards is the credit card identifier which consists only of six numbers such as '220152'," Aboul-Ela said.

"So imagine a black hat hacker who could write a simple Python code and use a simple for loop on six numbers - he could delete all credit cards from all Twitter accounts which will result in halting all Twitter ads campaigns and will incur big financial loss for Twitter."

The first vulnerability affected cards stored within 'ads.twitter.com/accounts/[account id]/payment_methods'. Aboul-Ela had only to change two parameters in a POST request sent to Twitter and resend the manipulated request to erase a card.

The second flaw involved a 'dismiss' option generated when invalid cards were entered which had the effect of erasing cards. Attackers could increment card identifiers to erase more credit cards.

Aboul-Ela received US$2800 under Twitter's bug bounty program which he said was the highest yet paid.

Twitter earlier this month began paying for bug reports under a program launched under HackerOne. ®

More about

TIP US OFF

Send us news


Other stories you might like