- Apr 25, 2013
- 5,354
FIRST VULNERABILITY
Initially, Aboul-Ela found two different vulnerabilities in ads.twitter.com, but both the flaws was having the “same effect and impact.” First flaw exists in the Delete function of credit cards in payments method page, https://ads.twitter.com/accounts/[account id]/payment_methods
By choosing the Delete this card function, an ajax POST request is sent to the server. The post parameters sent in request body are:
The page response was “403 forbbiden” but in actual, the credit card was deleted from the account.
SECOND VULNERABILITY
Aboul-Ela found another similar flaw in ads.twitter.com, but according to him, the impact of the this vulnerability was higher than the previous one.
When he tried to add an invalid credit card to his twitter account, it displayed an Error message “We were unable to approve the card you entered” and serve “Dismiss” button. Clicking on the button, the credit card was disappeared from his account.
“I thought it have the same effect of deleting, so I tried to add invalid credit card again and intercepted the request,” he said. Unlike first vulnerability, the account parameter doesn’t exists, only credit card Id is used. He modified the credit card Id in the URL and body to his credit card Id from other twitter account and then replied the request.
Full Article
Initially, Aboul-Ela found two different vulnerabilities in ads.twitter.com, but both the flaws was having the “same effect and impact.” First flaw exists in the Delete function of credit cards in payments method page, https://ads.twitter.com/accounts/[account id]/payment_methods
By choosing the Delete this card function, an ajax POST request is sent to the server. The post parameters sent in request body are:
- Account: the twitter account id
- ID: the credit card id and it’s numerical without any alphabetic characters
The page response was “403 forbbiden” but in actual, the credit card was deleted from the account.
SECOND VULNERABILITY
Aboul-Ela found another similar flaw in ads.twitter.com, but according to him, the impact of the this vulnerability was higher than the previous one.
When he tried to add an invalid credit card to his twitter account, it displayed an Error message “We were unable to approve the card you entered” and serve “Dismiss” button. Clicking on the button, the credit card was disappeared from his account.
“I thought it have the same effect of deleting, so I tried to add invalid credit card again and intercepted the request,” he said. Unlike first vulnerability, the account parameter doesn’t exists, only credit card Id is used. He modified the credit card Id in the URL and body to his credit card Id from other twitter account and then replied the request.
Full Article