Twitter Ads network seems to be apparent danger. This was revealed by a Egyptian security researcher Ahmed Mohamed Hassan Aboul-Ela. Aboul-Ela, who is a veteran security researcher, has many bounties in his cap and rewarded by top tech giants like Google, Microsoft and Apple.
Aboul-Ela discovered the Twitter has a critical vulnerability in its advertising service. This vulnerability, apparently allowed Aboul-Ea to delete any credit information from ANY Twitter account.
As per Aboul-Ela, the vulnerability is very critical and high risk because all what’s needed to delete credit card is to have the credit card identifier which consists only of 6 numbers such as “220152?.
Any blackhat hacker having prior knowledge of writing simple python code and using a simple six numbered loop can delete delete all credit cards from all Twitter accounts. If any such incident takes place, it will result in a heavy financial loss to Twitter.
“I started looking again for some more critical bugs and i successfully found a serious logical vulnerability [insecure direct object reference] in ads.twitter.com that allowed me deleting credit cards from any Twitter account” he wrote.
Aboul-Ela found two different vulnerabilities in ads.twitter.com, and he has submitted the PoC for both of them.
The first vulnerability he spotted was in the delete functionality of credit cards in ‘Payments method’ page. Choosing the delete option in the ‘Payment methods sent a ajax post request to the server. This ajax code had only two parameters in it.
Account: the Twitter Account ID
ID : the credit card number
“All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and i suddenly found that credit card have been delete from the other twitter account without any required interaction .” he wrote.
Upon sending the altered ajax code to the Twitter sever, it returned a “403 forbidden”‘ error page, But Aboul-Ela says that the credit card actually got deleted in that attempt.
When he tried to add an invalid credit card to his Twitter account, it displayed an Error message “We were unable to approve the card you entered” and serve “Dismiss” button. By clicking ‘Dismiss’ button, the credit card was disappeared from his account.
Unlike first vulnerability, the account parameter doesn’t exist in this request and only credit card Id is used. He modified the credit card Id in the URL and body to his credit card Id from other Twitter account and then replied the request. Upon sending the request, Twitter, due a inherent flaw deleted the credit card information from the other account. This vulnerability can also be used to skim Twitter of its revenues. The Proof-of-Concept video made by Aboul-Ela is given below.