Written by: Chaotic Indian
Ahmed Mohamed Hassan Aboul-Ela, a security researcher, has just become richer by $2800.
The researcher/hacker had discovered a major vulnerability in Twitter which lets users delete all the credit cards from any account. He first noticed two different exploits at the ads.twitter.com domain, that, when combined with a simple Python script, would allow a potential hacker to delete all credit cards and therby stop the flow of ad traffic for Twitter, which would result in a huge financial loss for the company. “The impact of the vulnerability was very critical because all that is needed to delete credit cards is the credit card identifier which consists only of six numbers such as ‘220152’,” Aboul-Ela said.
The first flaw was found in the “DELETE” function of the “credit card” option on the payments page. While choosing the “Delete this card” option, an Ajax “POST” request is sent to the server. The post requirements are – The Twitter account ID, and the credentials of the credit card.
Aboul-Ela stated that, “All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and I suddenly found that credit card have been delete from the other twitter account without any required interaction.”
The second flaw was found in the “DISMISS” option. When an invalid card number was entered, an error message was displayed along with an option to “dismiss” the card. Aboul-Ela found that when he clicked on the option, the credit card was removed from his account. Seeing as only the credit card credentials were the only requirements unlike last time, he modified the credit card’s ID in the URL to his own credit card number. Shockingly, this was deleted as well upon reloading the request. Aboul-Ela has also provided a Youtube video showing the second exploit in action.
He notified Twitter immediately, who rewarded him with $2800 as a part of their “Bug Bounty” program in which they were paying hackers to find potential exploits in the system.
Link: Protect your mobile devices from hackers & government and surf anonymously
_______________________________________________________________________
Sources:
1. http://thehackernews.com/2014/09/twitter-vulnerability-allows-hacker-to_16.html
2.http://www.theregister.co.uk/2014/09/17/credit_card_cutting_flaw_could_have_killed_every_ad_on_twitter/
This is what I like, when someone proves that hackers are not bad people. Someone worse could have found this and used it to financially ruin Twitter. He found a flaw that could have made Twitter use MILLIONS, and they only gave him about 3 grand? That’s crap to be honest… This guy deserves a lot more than that.
I think you meant “are not (All) bad people.
I would have ruined them, I hate twitter.
Twitter is where Anons live and connect to other Anons. Don’t destroy it. It would be a VERY BIG loss to us.
Za svaku pohvalu
I love twitter! I liked #FreeLorax and had lots of fun with anons! It was a pleasure for me. I wasnt hacking. Just making a racket and having fun at the same time. As long as the instructions they gave were autism-friendly, I was able to follow them and copy paste the whole Dr. Seuss Lorax story. Now I know it by heart :p