UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

Hi All,

Company Info :
Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world.

Bug category :
Indirect Object Reference(IDOR)
Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Technical Details of the Bug : 
Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified.

Bug Description : 
It was Nov. 2015 when i started working on Twitter . I usually look for Authentication/ IDOR/Privilege/Authentication type of issues. In Ads.twitter.com We have option of Creating campaign . While creating Campaign you can create new tweets in your Campaign . When you Upload Image in your Tweet , The Get request of retrieving Media Will be sent to server.
Request Format :
https://ads.twitter.com /media_id_to_cdn_url.json?media_id=[Media_id]&_=1447455982153 
In the response you will get a Media Link.
Ex : https://pbs.twimg.com/media-preview/snf:[Media_ID]/[Encrypted_ID].png  

I noticed this Request and Started trying IDOR issue. 
What i found was i am able to Get Media Content of Private tweets and Private messages of any user. I just need to Enumerate the Media ID which was in Digit format. 
As soon as i found this issue , i reported it to Twitter Security team through Hackeorne. 

Vulnerable Request : 
GET /media_id_to_cdn_url.json?media_id=[Media_id]&_=1447455982153 HTTP/1.1
Host: ads.twitter.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: https://ads.twitter.com/accounts/18ce53x5krr/campaigns/5936943/copy?campaign_type=followers&promoted_account=true&source=campaign_dashboard
Cookie: [Cookie_values]
Connection: keep-alive


Video POC : 

Impact : 
Any attacker can get Media Content of All the private tweets and Private messages without user interaction .

Timeline : 
November 14th 2015: Report send to Twitter Security Team through Hackerone
November 17th 2015 : Report Triaged by Team
November 21th 2015 : 420$ Bounty Rewarded
The issue was resolved long back but the report is still in triaged state.



Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)