Parameter pollution bug at Twitter


Detail

Twitter send an e-mail to you when someone followed you, when someone favourited your tweets etc.

You can unsubscribe the Twitter notifications by clicking the "Unsubscribe" button in footer of mail. Then it will be redirect you to the following link:

https://twitter.com/i/u?t=1&cn=bWVzc2FnZQ%3D%3D&sig=647192e86e28fb6691db2502c5ef6cf3xxx&iid=f6529edf-322d-xxx-b99a-067876dfe799&uid=1134885524&nid=22+26

"uid" parameter contains your Twitter account's id value. I changed this parameter with aonther user's id value but my IDOR test not succesfull. (Of course it will not be. lol)

I created a link as follows after a while:

https://twitter.com/i/u?t=1&cn=bWVzc2FnZQ%3D%3D&sig=647192e86e28fb6691db2502c5ef6cf3xxx&iid=f6529edf-322d-xxx-b99a-067876dfe799&uid=2321301342&uid=1134885524&nid=22+26

I added another one "uid" parameter again to the link. First "uid" parameter is my Twitter user id value and second "uid" parameter is victim user's id value. (Anyone can access to id value of any user from his profile page.)


That's it!

I can unsubscribe any user's e-mail notification. Also you can access my PoC video.


Bug Timeline

  • I reported it. | on 2015-08-23
  • Twitter sent a first response. | on 2015-08-25
  • Twitter marked it as "Triaged". | on 2015-08-26
  • Twitter confirmed it and rewarded me. | on 2015-08-29
  • Twitter resolved it. | on 2015-08-30

Web Hacking 101

Also you can read this bug and more in Peter Yaworski's great book! Web Hacking 101