A critical flaw in Twitter allows to delete payment cards from any account

  • 16 September 2014
  • 2 replies
  • 805 views

Userlevel 7
Badge +54
by Pierluigi Paganini on September 16th, 2014
 

An Egyptian security researcher has discovered a critical flaw in Twitter platform which allows an attacker to delete credit cards from Any Twitter Account.

 The Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela has discovered a critical vulnerability in Twitter’s advertising service that allowed an attacker to delete credit cards from any Twitter account. Ahmed Mohamed Hassan Aboul-Ela is a popular bug hunter that has already received many rewards for the discovery of flaws in software of IT giants like Google, Microsoft and Apple.Early September Twitter launched a bug bounty program, paying paying monetary rewards to security experts who find and report vulnerabilities in its software.
“We’re introducing a bug bounty program to thank researchers for responsibly-disclosed issues,” Twitter said through its Twitter account.
As explained in Ahmed Mohamed Hassan Aboul-Ela’s blog post the researcher discovered two distinct vulnerabilities in ads.twitter.com having the “same effect and impact.” http://securityaffairs.co/wordpress/wp-content/uploads/2014/09/twitter-payment-methods.png Full Article

2 replies

Userlevel 7
Badge +54
By Eduard Kovacs on September 17, 2014
 
A researcher has uncovered a vulnerability on one of Twitter's subdomains that could have been exploited to delete all the payment cards used by customers to pay for advertisements.
Companies and individuals that want to run ad campaigns on Twitter's platform are required to add a payment card to their account. Egyptian security researcher Ahmed Aboul-Ela discovered multiple Insecure Direct Object Reference flaws that could have been leveraged by an attacker to delete the cards associated with Twitter Ads.
Aboul-Ela identified the first vulnerability after analyzing the POST request sent to the server when the "Delete this card" button is clicked. The request contained the parameters "account," the ID of the Twitter account, and " id," a 6-digit number associated with the customer's credit card. By changing the value of these parameters to one of a different account he owns, the researcher managed to delete the card.
 
Full Article
Userlevel 7
Twitter has to be biting its nails on this one especially where it would hit them in their pocket book

Reply