Twitter: Twitter Ads Campaign information disclosure through admin without any authentication.

2015-03-02T15:00:30
ID H1:49806
Type hackerone
Reporter avicoder_
Modified 2015-04-25T08:22:05

Description

Hi Twitter !!

I just wanted to report a major flaw which I found in https://ads.twitter.com , hoping it make twitter more secure and I am glad for being a part of it.

Vulnerability Name: OWASP:A6 Sensitive data Exposure

Vulnerable URL: https://ads.twitter.com/admin/accounts_typeahead.json?query=*

Vulnerability Overview: Information Disclosure without any authentication .

Proof of Concept: - Log into twitter account first. - Go to this URL https://ads.twitter.com/admin/accounts_typeahead.json?query=avicoder - Change the query string to any other account or screen_name ex: microsoft - You can view all the information about the account associated with the campaign. - Usually this information is only visible to members of campaign. - Look at user_name_info element in JSON POC which actually exposing the members associated with campaign.

I attached the json file when I query my account in private window.. Its gives me all information about members linked to the campaign without any need of being (admin,manager,analyst)

I made this report short unlike my previous reports but it is to the point. Please revert back if more information is needed.

Happy to help

:)

avicoder