Prial Islam

Featured Image for how I earned 5040 from twitter bugbounty

How I earned 5040$ from Twitter by showing a way to Harvest other users IP address

Hi guys,
This is one of my old finding adding to my blog. Recently I disclosed a POC on How I was able to get all vine user’s sensitive Information including Phone no/IP Address/Emails and Many more that was reported to Twitter and they patched it and rewarded me 7560$. Those who missed it you can get the Orginal Report Here.

Today I am going to disclose another Information Disclosure vulnerability that was reported by me to the Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with an amount of 5040$ for this report.

When I testing vine API Endpoints I noticed an Endpoint that uses in the Vine Repost mechanism have a Parameter Named "ipAddress" with some plain Number value Like: 2130706433. We all know Ip Addresses look like: 127.0.0.1, But the value of the "ipAddress" looks invalid. Then when I tried to search about it on google I came to know that the value is valid. Actually, it was Converted to IP Address to Long/Decimal format. So I used an Online Converter tool and was able to get the real Ip.

Vulnerable Endpoint: https://vine.co/api/timelines/users/<POST_ID>

Reproduce
  • To reproduce this issue victim User have to repost any vine in his timeline and a lot of vine users reposted many Vine post in their timeline.
  • So Copy a Reposted Vine POST_ID and place it in the Endpoint and visit it. Example: https://vine.co/api/timelines/users/1293308695089926144
  • Now when I visited the link I got a response like below (The sensitive contents were removed by the twitter security team)
    “repost”: { “username”: “██████”, “verified”: 0, “vanityUrls”: [], “created”: “█████”, “repostId”: ████████, “avatarUrl”: “██████”, “userId”: ████, “user”: { “username”: “█████████”, “verified”: 0, “vanityUrls”: [], “avatarUrl”: “█████████”, “userId”: ████, “private”: 0, “location”: █████████ }, “flags|platform_lo”: 1, “postId”: ███, “ipAddress”: 2130706433 , “flags|platform_hi”: 1 }
  • As you can see the ipAddress parameter value is converted now Just Use my give online tool to again convert it to valid ip address value .

I reported this issue on Jan 26th and they paid me 5040$ for reporting this on Feb 25th.

5040$ from Twitter
5040$ from Twitter

Thanks for reading. Happy Hunting.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent tweets

@naglinagli @0xCOD3 Congratulations @0xCOD3 , waiting for the workflow on this ❤️ Read More

Jan 27 2021, 8:20 am

@imranHudaA @naglinagli @PrettyRecon I can see 5 subdomain. One is base domain here. Read More

Jan 26 2021, 5:34 pm

@BrianBitange1 @naglinagli You got my github endpoints what I used to takeover 😷 Read More

Jan 26 2021, 1:43 pm

@Bugcrowd MVP swag arrived 🥰🔥 #BugBounty #ItTakesACrowd ❤️ https://t.co/rEU62Mvhc1 Read More

Jan 06 2021, 1:45 pm

2021 started with @Hacker0x01 #Hacker0x01 #TogetherWeHitHarder ❤️ https://t.co/s6vVGhD2XU Read More

Jan 05 2021, 7:38 pm

RT @hunter0x7: https://t.co/JMOjrkXlAN Read More

Jan 05 2021, 12:13 pm

Recent posts