How I exploit a Twitter vulnerability with minimal hacking skills…
…and started to learn more about it.
TLDR; I got rewarded a $560 bounty for generating an inconsistency inside Twitter database without much of hacking skills.
I was first introduced to the cybersecurity by a college friend Caio, great content BTW, that also introduced me to the HackerOne bug bounty platform. He was tweeting a lot — not a lot actually — saying that he “got awarded $xxx for finding a bug”. That got my attention and I started to understand how it works. I founded that a lot of companies challenge hackers to get into theirs systems and find possible bugs. These bugs go from “simple” IDORs to RCEs.
So, I decided to give it a try. I started looking into more famous companies, such as Airbnb, Twitter and Spotify. After quite a while, and back and fourth into these I found something quite weird in Twitter. Even now if you go to your DMs and click in one them you will see that the URL change to something like:
https://twitter.com/messages/<NUMBER>-<NUMBER>
Looking into the backend responses in the network tab I found that these numbers are respectively (some sort of) each user id. They combined they form what Twitter calls a conversation_id. They probably have some another reference for each user for the platform but they use these numbers to reference each user inside the conversation_id. I look at these numbers and I though:
What if we swipe these numbers?
I did that. The page completely broke after. As you can see in the image below. The messages were gone. It’s like we were initiating a new conversation with someone that didn’t follow me.
I was being asked for these two options: Accept or Delete?
Accept
Nothing actually happens. Well, something happens. Probably the backend identifies that this conversation_id already exist but in the previous order and launch an exception telling me to reload the page. I reloaded and everything is back to normal.
Delete
This is where the magic happened. When I click “Delete” it actually deleted my whole original conversation. Without using the original conversation_id.
What this means? I’m able to delete any conversation without any access to the proper conversation_id. There is more. Once I did that I tried to see my messages on the iPhone. The messages were there but once I sent one more — via iPhone — the message didn’t appear on my Twitter web page. The app lost sync with the Twitter Web. Messages coming via app weren’t being show on the web, and messages coming from the web weren’t being show on the app. Basically I broke the sync between the databases. I caused an inconsistence that Twitter couldn’t repare and fix autonomously. I explain the step-by-step to the triagers on HackerOne and they understand it was an issue and rewarded me with a $560 bounty.
This was the first of a number of other reports. Some duplicated, some informative. But one of the things a learned from starting this initiative is how collaborative is the hacking community. I was able to find a lot of docs, scripts and videos about anything I wanted to exploit. This opened a new world in programming for me. I learned how to search for things, I learned how important is to be clear about the information you provide and learned also how important is to give something back. Started to contributing more to some open-source projects to give others the same opportunity that was given to me.
That is it. Hope you enjoyed and lets hack the planet.