Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

Mastodon
InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

$1120: ATO Bug in Twitter’s

Abhi Sharma
InfoSec Write-ups
Published in
4 min readOct 8, 2023

--

Explore the story of a $1120 Twitter bug, I found — a security flaw that allowed attackers to seize full control of accounts without knowing the password.

Everyone who is reading this,I think aware of twitter. A couple of months after starting my bug bounty career, I found this bug in Oct. 2020. This bug is about, How an attacker was able to delete phone number and add this number, change password and full control over a account which they had partial access via sessions hijacking or cookie grabbing.

The Twitter Flow

Imagine you’re using Twitter, and suddenly, a hacker hijacks your session. It’s a scary scenario. But Twitter has implemented an extra layer of protection. When trying to make significant changes, like altering your phone number or disabling two-factor authentication (2FA), the hacker would typically be prompted to enter your account password. This would pose a challenge because they don’t have your password. However, there’s a twist to this story.

The Flaws

I discovered a some flaws that enables a hacker with a hijacked session to bypass the password screen. This means that even though they don’t know your password, they could still make changes to your Twitter account.

How It Works:

Here’s how this vulnerability plays out:

  1. A session hijacker attempts to change your phone number or disable 2FA.
  2. Twitter usually requires a password confirmation to make these changes, but there’s a crucial issue.
  3. When deleting the phone number, 2FA gets disabled, but the session still recognizes 2FA confirmation.
  4. But for deleting the Phone Number attacker require password, so i found a alternate rote i explore twitter setting then.
  5. I found something interesting, To understand how this works, let’s break it down step by step:
  • Navigate to “Security and Privacy” in Twitter settings.
  • Go to “Notification” and select “Preferences.”
  • Choose “SMS Notification” and select the top phone number. Note that there’s no password confirmation to remove it, so proceed to delete.

So Now we are half way done Now

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 14 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Abhi Sharma
Abhi Sharma
Follow

Written by Abhi Sharma

1.7K Followers
1 Following

Cybersecurity Consultant | Pentester | Bug Bounty Hunter | ContentWriter 🔗 Connect with me on https://twitter.com/a13h1_ and https://www.linkedin.com/in/a13h1/

Follow

Responses (6)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech