Twitter patches vulnerability that could have impacted advertising accounts

The security flaw was reported through the company's new bug bounty program and researcher was rewarded with $2,800

Twitter's recently announced bug bounty program has helped the company identify and patch a serious vulnerability that could have potentially disrupted advertising on its platform.

The flaw would have allowed hackers to delete credit cards associated with accounts on ads.twitter.com, the control panel through which advertisers manage their campaigns on Twitter, according to Ahmed Aboul-Ela, the security researcher who found the issue and reported it to the company.

Exploiting the vulnerability only required sending a specially crafted request to a specific URL containing a six-digit ID assigned to a credit card stored on the platform.

A blackhat hacker could have written a simple script in Python to send requests in a loop and iterate through all possible ID combinations to delete credit cards from all Twitter accounts, Aboul-Ela said in a blog post. This could have halted ad campaigns causing financial losses for Twitter, he said.

The researcher started searching for vulnerabilities in the platform after reading about Twitter's new bug bounty program. The company announced on Sept. 3 that it will start paying a minimum of US$140 per vulnerability to researchers who privately report flaws they discover in its Web services and mobile apps.

According to Twitter's page on the HackerOne bug bounty platform, the company paid Aboul-Ela $2,800 for his report, the highest reward it has issued so far.

This incident enforces the idea that bug bounty programs are a successful method of incentivizing researchers to search for vulnerabilities and report them responsibly to the affected companies.

Vulnerability reward programs have come a long way since 2010, when Google became one of the first Internet companies to launch such a program for its online services. Many companies have since followed suit including Facebook, Yahoo, PayPal, Mozilla and Twitter. Today there are even platforms like HackerOne, Bugcrowd and CrowdCurity that can help smaller companies set up their own bug bounty programs.

However, while a well-resourced and implemented bug bounty scheme can be very useful, a poorly managed one can do more harm than good, according to Ilia Kolochenko, CEO of penetration testing firm High-Tech Bridge.

Companies should be aware that a vulnerability reward program will likely attract scans and probes from inexperienced vulnerability hunters who might accidentally damage live systems, he said in a blog post Wednesday. Running such programs also requires dedicated, well staffed security teams who can investigate the often poorly documented reports and figure out where the problem lies, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitytwitteronline safetypatchesExploits / vulnerabilitiesHigh-Tech Bridge

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?