“We’re introducing a bug bounty program to thank researchers for responsibly-disclosed issues,” Twitter said through its Twitter account.
“i’ve successfully found a CSRF vulnerability that can add many followers in a single request and bypass the CSRF token protection but unfortunately it was duplicate issue. I started looking again for some more critical bugs and i successfully found a serious logical vulnerability [insecure direct object reference] in ads.twitter.com that allowed me deleting credit cards from any Twitter account. the impact of the vulnerability was very critical and high because all what’s needed to delete credit card is to have the credit card identifier which consists only of 6 numbers such as “220152″.” state the post.
Account: the twitter account idID: the credit card id and it’s numerical without any alphabetic characters
“All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and I suddenly found that credit card have been delete from the other twitter account without any required interaction,” Aboul-Ela wrote.
“We were unable to approve the card you entered”
“I thought it have the same effect of deleting, so I tried to add invalid credit card again and intercepted the request,” he said.
Be aware, unlike the first flaw, the expert, just modified the credit card Id in the URL and body to his credit card Id from other twitter account and then replied the request.
This means that it was possible to delete from the other twitter account the payment card with the specific Id.
Below the video proof of concept sent by Aboul-Ela.
(Security Affairs – Twitter security flaw, hacking)