For more than a year, all it would take is clicking on a maliciously crafted link on Twitter and your account could have been taken over and used to tweet, retweet, like, or block other users. The vulnerability was disclosed publicly on Wednesday, leading to a quick fix—and a scolding for the user who disclosed it.
Instead of earning a monetary reward from Twitter’s bug bounty program, the company banned the user from participating.
I submitted this bug report and didn’t receive a bounty. You told me that this bug has existed for a year. Seeing that you haven’t fixed it for so long, it seems that this bug is not important, so I made it public. pic.twitter.com/R9X4k8KqMZ
— rabbit (@rabbit_2333) December 12, 2023
The disclosure was made by pseudonymous Twitter user @rabbit_2333, who shared how an XSS vulnerability on Twitter’s analytics subdomain could be leveraged to give an attacker access to a third party’s profile and the ability to do almost everything except changing the account’s password.
The hack made use of cross-site scripting (XSS) and cross-site request forgery (CSRF). XSS attacks allow malicious actors to inject harmful scripts into web pages, while CSRF tricks users into executing actions on a web app where they’re already authenticated.
The Twitter bug ytilized both these methods, making it especially dangerous. By exploiting XSS, attackers could bypass web security measures and gain unauthorized access to user accounts.
As news of this vulnerability spread, Chaofan Shou, cofounder of the smart contract analysis platform Fuzz.Lan, stepped in to provide more details. He revealed how easy it was to build a powerful exploit tool based on this unaddressed vulnerability, and proovided a detailed explanation of how the bug worked and the potential damages it could cause.
😝 Here is the full disclosure of the Twitter XSS + CSRF vulnerability.
Clicking a crafted link or going to some crafted web pages would allow attackers to take over your account (posting, liking, updating your profile, deleting your account, etc.) pic.twitter.com/MVJ1MvHt6H
— Chaofan Shou (@shoucccc) December 13, 2023
Shou’s write up was followed by comments from cybersecurity researcher Sam Sun, who provided practical advice on how to avoid the exploit, and highlighting the lack of safety even for those using Twitter on their phones via browsers.
If you’re using Twitter on your phone in your browser, you’re vulnerable because you can’t install extensions, so just log out and use the app instead (or if you’re an app purist, just live without Twitter for a few days)
— samczsun (@samczsun) December 13, 2023
Sun noted that the privacy-centric web browser Brave would have prevented the exploit from working.
Twitter’s response was swift following this public disclosure. Within hours, they had patched the vulnerability, as confirmed by Sun. Despite the potential severity of the flaw, however, @rabbit_2333 was not rewarded for his discovery. Instead, he was notified of his banishment from Twitter’s bug bounty program.
“Thank you Twitter,” the user wrote, with screenshots of Twitter’s ban notification.
As comments flooded in about whether @rabbit_2333 should have posted about the bug or not, the user claimed that they did follow proper protocol at first. It was only when Twitter dismissed the severity and its eligibility for a bounty that they went public, the user said.
I submitted this bug report and didn’t receive a bounty. You told me that this bug has existed for a year. Seeing that you haven’t fixed it for so long, it seems that this bug is not important, so I made it public. pic.twitter.com/R9X4k8KqMZ
— rabbit (@rabbit_2333) December 12, 2023
The purpose of bug bounty programs is to prevent incidents like this one, incentivising developers to discover security holes with rewards and an agreement not to disclose them while the company fixes things.
Bug bounty programs are common in software development, as well as in cryptocurrency, particularly when dealing with smart contracts. While running such programs can be challenging, the prevention of a security breach is typically seen as worth the effort.
White-hat and bug-bounty incentive programs typically require vulnerabilities to be kept confidential. But they also often have expiration dates, to ensure the software developer acts in a timely manner.
Edited by Ryan Ozawa.
Stay on top of crypto news, get daily updates in your inbox.
Source: https://decrypt.co/209707/twitter-user-finds-critical-bug-that-could-have-wrecked-your-x-account-and-gets-banned-for-it