Menu
Twitter patches vulnerability that could have impacted advertising accounts

Twitter patches vulnerability that could have impacted advertising accounts

The security flaw was reported through the company's new bug bounty program and researcher was rewarded with $2,800

Twitter's recently announced bug bounty program has helped the company identify and patch a serious vulnerability that could have potentially disrupted advertising on its platform.

The flaw would have allowed hackers to delete credit cards associated with accounts on ads.twitter.com, the control panel through which advertisers manage their campaigns on Twitter, according to Ahmed Aboul-Ela, the security researcher who found the issue and reported it to the company.

Exploiting the vulnerability only required sending a specially crafted request to a specific URL containing a six-digit ID assigned to a credit card stored on the platform.

A blackhat hacker could have written a simple script in Python to send requests in a loop and iterate through all possible ID combinations to delete credit cards from all Twitter accounts, Aboul-Ela said in a blog post. This could have halted ad campaigns causing financial losses for Twitter, he said.

The researcher started searching for vulnerabilities in the platform after reading about Twitter's new bug bounty program. The company announced on Sept. 3 that it will start paying a minimum of US$140 per vulnerability to researchers who privately report flaws they discover in its Web services and mobile apps.

According to Twitter's page on the HackerOne bug bounty platform, the company paid Aboul-Ela $2,800 for his report, the highest reward it has issued so far.

This incident enforces the idea that bug bounty programs are a successful method of incentivizing researchers to search for vulnerabilities and report them responsibly to the affected companies.

Vulnerability reward programs have come a long way since 2010, when Google became one of the first Internet companies to launch such a program for its online services. Many companies have since followed suit including Facebook, Yahoo, PayPal, Mozilla and Twitter. Today there are even platforms like HackerOne, Bugcrowd and CrowdCurity that can help smaller companies set up their own bug bounty programs.

However, while a well-resourced and implemented bug bounty scheme can be very useful, a poorly managed one can do more harm than good, according to Ilia Kolochenko, CEO of penetration testing firm High-Tech Bridge.

Companies should be aware that a vulnerability reward program will likely attract scans and probes from inexperienced vulnerability hunters who might accidentally damage live systems, he said in a blog post Wednesday. Running such programs also requires dedicated, well staffed security teams who can investigate the often poorly documented reports and figure out where the problem lies, he said.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesonline safetysecurityHigh-Tech BridgetwitterExploits / vulnerabilities

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments