Twitter Ads network seems to be apparent danger. ย This was revealed by a Egyptian security researcherย Ahmed Mohamed Hassan Aboul-Ela. ย Aboul-Ela, who is a veteran security researcher, has many bounties in his cap and rewarded by top tech giants like Google, Microsoft and Apple. ย
Aboul-Ela discovered the Twitter hasย a critical vulnerability in its advertising service. ย This vulnerability, apparently allowed Aboul-Ea to delete any credit information from ANY Twitter account.
As per Aboul-Ela, the vulnerability is very critical and high risk because all whatโs needed to delete credit card is to have the credit card identifier which consists only of 6 numbers such as โ220152?.
Any blackhat hacker having prior knowledge of writing simple python code and using ย a simple six numbered loop ย can delete delete all credit cards from all Twitter accounts. ย If any such incident takes place, it will result in a heavy financial loss to Twitter.
“I started looking again for some more critical bugs and i successfully found a serious logical vulnerability [insecure direct object reference] in ads.twitter.com that allowed me deleting credit cards from any Twitter account” he wrote.
Aboul-Ela found two different vulnerabilities in ads.twitter.com, and he has submitted the PoC for both of them.
FIRST VULNERABILITY:
The first vulnerability he spotted was in the delete functionality of credit cards in ‘Payments method’ page. Choosing the delete option in the ‘Payment methods sent a ajax post request to the server. This ajax code had only two parameters in it.
https://ads.twitter.com/accounts/[account id]/payment_methods
Account:ย the Twitter Account ID
ID : the credit cardย number
“All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the requestย and i suddenly found that credit card have been delete from the other twitter account without any required interaction .” he wrote.
Upon sending the altered ajax code to the Twitter sever, it returned a ย “403 forbidden”‘ error page, But Aboul-Ela says that the credit card actually got deleted in that attempt.
SECOND VULNERABILITY:
When he tried to add an invalid credit card to his Twitter account, it displayed an Error message โWe were unable to approve the card you enteredโ and serve โDismissโ button. By clicking ‘Dismiss’ button, the credit card was disappeared from his account.
Unlike first vulnerability, the account parameter doesnโt exist in this request and only credit card Id is used. He modified the credit card Id in the URL and body to his credit card Id from other Twitter account and then replied the request. ย Upon sending the request, Twitter, due a inherent flaw deleted the credit card information from the other account. ย This vulnerability can also be used to skim Twitter of its revenues. ย ย The Proof-of-Concept video made by Aboul-Ela is given below.