An Egyptian Security Researcher, Ahmed Mohamed Hassan Aboul-Ela, have discovered a critical vulnerability in Twitter’s advertising service that allowed him deleting credit cards from any Twitter account.
There were two vulnerability that Aboul-Ela had discovered but both of them have the same impact. Both vulnerability was addressed on twitter ads page (ads.twitter.com). The first vulnerability was spotted in the Delete functionality of credit cards in payments method page, https://ads.twitter.com/accounts/[account id]/payment_methods
So Aboul-Ela wrote, “All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and I suddenly found that credit card have been delete from the other twitter account without any required interaction,”
The page response was “403 forbbiden” but in actual, the credit card was deleted from the account.
The second vulnerability was similar to the first one but this one have the high impact then previous one. When he tried to add an invalid credit card to his twitter account, it displayed an Error message “We were unable to approve the card you entered” and serve “Dismiss” button. Clicking on the button, the credit card was disappeared from his account.
Now this time request made with the following parameters-utf8=%E2%9C%93&authenticity_token=Lb6HONDceN5mGvAEUvCQNakJUspD60Odumz%2FtrVdQfE%3D&id=220152&dismiss=Dismiss
This time account parameter doesn't exists and only credit card id is used. He modified the credit card Id in the URL and body to his credit card Id from other twitter account and then replied the request. By sending this modified request the credit card got deleted from the other twitter account.
For demonstrating this vulnerability Aboul-Ela have published a POC video-