Twitter was until a few months ago affected by a vulnerability that could have been exploited to bypass the social media network’s account locking mechanism.
Twitter can lock user accounts for security purposes if it detects suspicious behavior which could indicate that an account may have been compromised. In order to have the account unlocked, the user needs to confirm they are the legitimate owner by providing some information, such as phone number and email address.
Security expert Aaron Ullger discovered that this account locking mechanism could have been easily bypassed by adding the targeted account to a mobile device. The researcher added the locked account to his iPhone (via the Settings page), installed the Twitter app on the device, and he was given full access to the account.
However, Ullger noticed that the targeted account remained locked on the Twitter website so the bypass had not been complete. In order to achieve a complete bypass, the expert used the iOS Twitter app to access the account’s settings and obtain the email address and phone number needed to unlock the account.
This vulnerability could have been useful for an attacker who had stolen the targeted user’s credentials, but wanted to prevent being locked out of the account.
“An attacker with knowledge of a locked account’s credentials would’ve been able exploit this issue to gain complete access to the victim’s profile,” Ullger said in a blog post.
The flaw was reported to Twitter on October 7 and it was patched a few days later. The researcher said he received an unspecified bug bounty for his work.
Twitter has been running a bug bounty program on the HackerOne platform since September 2014. Bug bounty hunters can earn as much as $15,000 for a serious remote code execution vulnerability affecting the company’s core services.
According to its HackerOne page, Twitter has so far received nearly 600 vulnerability reports and it has paid out a total of more than $600,000.