We often think that setting up a two-step authentication process ensures the safety of our online accounts. While we remain reassured in that knowledge, this ethical hacker from Bengaluru showed us that bugs in social media websites can make our accounts vulnerable to hackers, who can gain easy access to these sites by exploiting the loopholes.
Anand Prakash spotted a vulnerability in the microblogging site Twitter, exploiting which he found that he could compromise any existing Twitter account.
While the bug was fixed by Twitter in September 2016, Anand spoke about the bug only on Sunday in his blog titled ‘How I took control of your Twitter account (tweeting, viewing/deleting photos and other media)’. The blog also contains a proof-of-concept video for the same.
“Using this bug, one could have tweeted from Narendra Modi, Donald Trump's, and all other accounts without having password/two factor authentication code,” Anand told TNM.
What’s the hack?
Anand explains that using Twitter studio (a Twitter app) one could have tweeted from other’s accounts, upload videos, view/delete private videos, photos as a part of its API request was missing authorisation checks.
"As the authorisation check was missing, I could have replaced my user id with any other user id which I want to hack, by using an intercepting software like Burp Suite in the API request code. This means I could have tweeted anything from another person’s handle without even knowing their user ID or password," Anand said.
“Twitter had launched a new product named Twitter Studio (studio.twitter.com) in September 2016. So I started looking out for security loopholes after the launch. All API requests on studio.twitter.com were sending a parameter named "owner_id" which was twitter user id(publicly available and sequential) of the logged in user. Owner_id parameter was missing authorisation checks changing which allowed me to take actions on behalf of other twitter users,” Anand wrote in his blog.
According to Anand, he was rewarded $5,040 for hunting this bug, which takes his total bounty collection to $31,220 from Twitter alone.
Anand had previously spotted bugs and earned bounties from companies like Google, Facebook and Uber among others.