> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
Summary: [add summary of the vulnerability] An user can invert the user ids from a direct message URL, which is the conversation_id, and delete the whole conversation history without using the proper conversation_id and without a proper feedback to the user.
Description: [add more details about this vulnerability] By having a direct message to any user, Twitter creates a specific id to this conversation. The conversation_id. This id is concatenation between the two user ids in this conversation separated by an hyphen . For example:
If an user invert these numbers(e.g: in our example 45678-12345) the user is asked to either accept to receive message from an undefined user or to delete it.(Attached print1). After clicking "Delete" the whole conversation history from the original conversation is deleted without ever following the happy path to proper leave a conversation.
(Add details for how we can reproduce the issue)
Do you want to let message you? They won’t know you’ve seen their message until you accept.Report conversation
You can see there is a blank space between the words 'let' and 'message'. 6. If the user clicks on 'Delete' the original history from the original conversation is deleted(attached image: after_Deleting.png) and the feedback gave to the user doesn't mention this.
Since we didn't use the proper conversation_id to delete the conversation this action might create an inconsistence on the conversations database.
An attacker could create an inconsistence on the conversation data since we used a wrong conversation_id to delete the history. Maybe this issue could lead to other exploits since we had a info icon for an undefined user.