Prial Islam

Featured Image for how I earned 5040 from twitter bugbounty

How I earned 5040$ from Twitter by showing a way to Harvest other users IP address

Hi guys,
This is one of my old finding adding to my blog. Recently I disclosed a POC on How I was able to get all vine user’s sensitive Information including Phone no/IP Address/Emails and Many more that was reported to Twitter and they patched it and rewarded me 7560$. Those who missed it you can get the Orginal Report Here.

Today I am going to disclose another Information Disclosure vulnerability that was reported by me to the Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with an amount of 5040$ for this report.

When I testing vine API Endpoints I noticed an Endpoint that uses in the Vine Repost mechanism have a Parameter Named "ipAddress" with some plain Number value Like: 2130706433. We all know Ip Addresses look like: 127.0.0.1, But the value of the "ipAddress" looks invalid. Then when I tried to search about it on google I came to know that the value is valid. Actually, it was Converted to IP Address to Long/Decimal format. So I used an Online Converter tool and was able to get the real Ip.

Vulnerable Endpoint: https://vine.co/api/timelines/users/<POST_ID>

Reproduce
  • To reproduce this issue victim User have to repost any vine in his timeline and a lot of vine users reposted many Vine post in their timeline.
  • So Copy a Reposted Vine POST_ID and place it in the Endpoint and visit it. Example: https://vine.co/api/timelines/users/1293308695089926144
  • Now when I visited the link I got a response like below (The sensitive contents were removed by the twitter security team)
    “repost”: { “username”: “██████”, “verified”: 0, “vanityUrls”: [], “created”: “█████”, “repostId”: ████████, “avatarUrl”: “██████”, “userId”: ████, “user”: { “username”: “█████████”, “verified”: 0, “vanityUrls”: [], “avatarUrl”: “█████████”, “userId”: ████, “private”: 0, “location”: █████████ }, “flags|platform_lo”: 1, “postId”: ███, “ipAddress”: 2130706433 , “flags|platform_hi”: 1 }
  • As you can see the ipAddress parameter value is converted now Just Use my give online tool to again convert it to valid ip address value .

I reported this issue on Jan 26th and they paid me 5040$ for reporting this on Feb 25th.

5040$ from Twitter
5040$ from Twitter

Thanks for reading. Happy Hunting.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent tweets

If Tweet url is not visible properly then follow Read More

Jun 17 2021, 10:28 am

@asad0x01 @Hacker0x01 First time? 👀🌚 Read More

Jun 02 2021, 9:43 am

@mamunwhh Link attached with the main tweet. If you can’t see it check at Read More

May 22 2021, 11:59 am

@hackrzvijay I used account of sifat bhai who owns restaurant and previously opened Uber Eats... Read More

May 22 2021, 11:58 am

@_vagab0nd__ @LdrTom @HannanHaseeb11 Yah, uid is not guessable and really long to brute-force. I looked... Read More

May 22 2021, 11:50 am

@47_hacks I asked someone who have restaurant to open a account for me. You can... Read More

May 22 2021, 11:47 am

Recent posts