Menu
Twitter patches vulnerability that could have impacted advertising accounts

Twitter patches vulnerability that could have impacted advertising accounts

The security flaw was reported through the company's new bug bounty program and researcher was rewarded with $2,800

Twitter's recently announced bug bounty program has helped the company identify and patch a serious vulnerability that could have potentially disrupted advertising on its platform.

The flaw would have allowed hackers to delete credit cards associated with accounts on ads.twitter.com, the control panel through which advertisers manage their campaigns on Twitter, according to Ahmed Aboul-Ela, the security researcher who found the issue and reported it to the company.

Exploiting the vulnerability only required sending a specially crafted request to a specific URL containing a six-digit ID assigned to a credit card stored on the platform.

A blackhat hacker could have written a simple script in Python to send requests in a loop and iterate through all possible ID combinations to delete credit cards from all Twitter accounts, Aboul-Ela said in a blog post. This could have halted ad campaigns causing financial losses for Twitter, he said.

The researcher started searching for vulnerabilities in the platform after reading about Twitter's new bug bounty program. The company announced on Sept. 3 that it will start paying a minimum of US$140 per vulnerability to researchers who privately report flaws they discover in its Web services and mobile apps.

According to Twitter's page on the HackerOne bug bounty platform, the company paid Aboul-Ela $2,800 for his report, the highest reward it has issued so far.

This incident enforces the idea that bug bounty programs are a successful method of incentivizing researchers to search for vulnerabilities and report them responsibly to the affected companies.

Vulnerability reward programs have come a long way since 2010, when Google became one of the first Internet companies to launch such a program for its online services. Many companies have since followed suit including Facebook, Yahoo, PayPal, Mozilla and Twitter. Today there are even platforms like HackerOne, Bugcrowd and CrowdCurity that can help smaller companies set up their own bug bounty programs.

However, while a well-resourced and implemented bug bounty scheme can be very useful, a poorly managed one can do more harm than good, according to Ilia Kolochenko, CEO of penetration testing firm High-Tech Bridge.

Companies should be aware that a vulnerability reward program will likely attract scans and probes from inexperienced vulnerability hunters who might accidentally damage live systems, he said in a blog post Wednesday. Running such programs also requires dedicated, well staffed security teams who can investigate the often poorly documented reports and figure out where the problem lies, he said.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securitytwitteronline safetypatchesExploits / vulnerabilitiesHigh-Tech Bridge

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments