Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

A critical flaw in Twitter allows to delete payment cards from any account

An Egyptian security researcher has discovered a critical flaw in Twitter platform which allows an attacker to delete credit cards from Any Twitter Account. The Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela has discovered a critical vulnerability in Twitter’s advertising service that allowed an attacker to delete credit cards from any Twitter account. Ahmed Mohamed Hassan Aboul-Ela […]

Saudi Arabian Government Twitter

A user checks a Twitter feed on a smartphone in this arranged photograph taken in London, U.K., on Friday, Oct. 4, 2013. Twitter Inc.’s initial public offering documents suggested a valuation of $12.8 billion for the microblogging service, underscoring the seven-year rise of a still unprofitable company that has helped revolutionize how people share information. […]

An Egyptian security researcher has discovered a critical flaw in Twitter platform which allows an attacker to delete credit cards from Any Twitter Account.

The Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela has discovered a critical vulnerability in Twitter’s advertising service that allowed an attacker to delete credit cards from any Twitter account. Ahmed Mohamed Hassan Aboul-Ela is a popular bug hunter that has already received many rewards for the discovery of flaws in software of IT giants like Google, Microsoft and Apple.
Early September Twitter launched a bug bounty program, paying paying monetary rewards to security experts who find and report vulnerabilities in its software.
“We’re introducing a bug bounty program to thank researchers for responsibly-disclosed issues,” Twitter said through its Twitter account.
As explained in Ahmed Mohamed Hassan Aboul-Ela’s blog post the researcher discovered two distinct vulnerabilities in ads.twitter.com having the “same effect and impact.
i’ve successfully found a CSRF vulnerability that can add many followers  in a single request and bypass the CSRF token protection but unfortunately it was duplicate issue. I started looking again for some more critical bugs and i successfully found a serious logical vulnerability [insecure direct object reference]  in  ads.twitter.com that allowed me deleting credit cards from any Twitter account. the impact of the vulnerability was very critical and high because all what’s needed to delete credit card is to have the credit card identifier which consists only of 6 numbers such as “220152″.” state the post.
The first vulnerability affects the “Delete function” of credit cards in payment method page,
https://ads.twitter.com/accounts/[account id]/payment_methods
When a Twitter user tries to Delete a card the function sends an ajax POST request to the server with following parameters:
Account: the twitter account id
ID: the credit card id and it’s numerical without any alphabetic characters
twitter payment methods
Playing with both parameter the experts discovered that it was easy to delete the payment cards for any Twitter accounts, the expert highlighted that despite re response was “403 forbbiden” the payment card was deleted.

“All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and I suddenly found that credit card have been delete from the other twitter account without any required interaction,” Aboul-Ela wrote.

Aboul-Ela also discovered a second similar vulnerability, which affected the ads.twitter.com, the impact of this flaw was higher than the previous one. Trying to add an invalid credit card. When he tried to add an invalid credit card to his twitter account the system returned the following message:
“We were unable to approve the card you entered”
Twitter displays a “Dismiss” button to the user that Clicking it will cause the credit card disappear from his account.

“I thought it have the same effect of deleting, so I tried to add invalid credit card again and intercepted the request,” he said.

Be aware, unlike the first flaw, the expert, just modified the credit card Id in the URL and body to his credit card Id from other twitter account and then replied the request.

This means that it was possible to delete from the other twitter account the payment card with the specific Id.

Below the video proof of concept sent by Aboul-Ela.

Pierluigi Paganini

(Security Affairs – Twitter security flaw, hacking)