Contact Me

How I earned 5040$ from Twitter by showing a way to Harvest other users IP address

Hi guys,
This is one of my old finding adding to my blog. Recently I disclosed a POC on How I was able to get all vine user’s sensitive Information including Phone no/IP Address/Emails and Many more that was reported to Twitter and they patched it and rewarded me 7560$. Those who missed it you can get the Orginal Report Here.

Today I am going to disclose another Information Disclosure vulnerability that was reported by me to the Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with an amount of 5040$ for this report.

When I testing vine API Endpoints I noticed an Endpoint that uses in the Vine Repost mechanism have a Parameter Named "ipAddress" with some plain Number value Like: 2130706433. We all know Ip Addresses look like: 127.0.0.1, But the value of the "ipAddress" looks invalid. Then when I tried to search about it on google I came to know that the value is valid. Actually, it was Converted to IP Address to Long/Decimal format. So I used an Online Converter tool and was able to get the real Ip.

Vulnerable Endpoint: https://vine.co/api/timelines/users/<POST_ID>

Reproduce
  • To reproduce this issue victim User have to repost any vine in his timeline and a lot of vine users reposted many Vine post in their timeline.
  • So Copy a Reposted Vine POST_ID and place it in the Endpoint and visit it. Example: https://vine.co/api/timelines/users/1293308695089926144
  • Now when I visited the link I got a response like below (The sensitive contents were removed by the twitter security team) 
    “repost”: { “username”: “██████”, “verified”: 0, “vanityUrls”: [], “created”: “█████”, “repostId”: ████████, “avatarUrl”: “██████”, “userId”: ████, “user”: { “username”: “█████████”, “verified”: 0, “vanityUrls”: [], “avatarUrl”: “█████████”, “userId”: ████, “private”: 0, “location”: █████████ }, “flags|platform_lo”: 1, “postId”: ███, “ipAddress”: 2130706433 , “flags|platform_hi”: 1 }
  • As you can see the ipAddress parameter value is converted now Just Use my give online tool to again convert it to valid ip address value .

I reported this issue on Jan 26th and they paid me 5040$ for reporting this on Feb 25th.

5040$ from Twitter
5040$ from Twitter

Thanks for reading. Happy Hunting.

Post Views: 1,465
Back To Blog
Back To Home

Leave a Reply

Your email address will not be published. Required fields are marked *

RECENT TWEETS

RECENT POSTS

Sometimes, Hacking Is Just Someone Spending More Time On Something Than Anyone Else Might Reasonably Expect
Facebook Twitter Linkedin Youtube Github

Useful Link

Newsletter

© All Rights Reserved By Prial Islam