Twitter patches vulnerability that could have impacted advertising accounts

The security flaw was reported through the company's new bug bounty program and researcher was rewarded with $2,800

Twitter's recently announced bug bounty program has helped the company identify and patch a serious vulnerability that could have potentially disrupted advertising on its platform.

The flaw would have allowed hackers to delete credit cards associated with accounts on, the control panel through which advertisers manage their campaigns on Twitter, according to Ahmed Aboul-Ela, the security researcher who found the issue and reported it to the company.

Exploiting the vulnerability only required sending a specially crafted request to a specific URL containing a six-digit ID assigned to a credit card stored on the platform.

A blackhat hacker could have written a simple script in Python to send requests in a loop and iterate through all possible ID combinations to delete credit cards from all Twitter accounts, Aboul-Ela said in a blog post. This could have halted ad campaigns causing financial losses for Twitter, he said.

The researcher started searching for vulnerabilities in the platform after reading about Twitter's new bug bounty program. The company announced on Sept. 3 that it will start paying a minimum of US$140 per vulnerability to researchers who privately report flaws they discover in its Web services and mobile apps.

According to Twitter's page on the HackerOne bug bounty platform, the company paid Aboul-Ela $2,800 for his report, the highest reward it has issued so far.

This incident enforces the idea that bug bounty programs are a successful method of incentivizing researchers to search for vulnerabilities and report them responsibly to the affected companies.

Vulnerability reward programs have come a long way since 2010, when Google became one of the first Internet companies to launch such a program for its online services. Many companies have since followed suit including Facebook, Yahoo, PayPal, Mozilla and Twitter. Today there are even platforms like HackerOne, Bugcrowd and CrowdCurity that can help smaller companies set up their own bug bounty programs.

However, while a well-resourced and implemented bug bounty scheme can be very useful, a poorly managed one can do more harm than good, according to Ilia Kolochenko, CEO of penetration testing firm High-Tech Bridge.

Companies should be aware that a vulnerability reward program will likely attract scans and probes from inexperienced vulnerability hunters who might accidentally damage live systems, he said in a blog post Wednesday. Running such programs also requires dedicated, well staffed security teams who can investigate the often poorly documented reports and figure out where the problem lies, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesonline safetysecurityHigh-Tech BridgetwitterExploits / vulnerabilities

More about FacebookGoogleMozillaPayPalYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place