X (Formerly Twitter): Link-shortener bypass (regression on fix for #1032610)

Report 1032610, entitled Chained open redirects and use of Ideographic Full Stop defeat Twitter's approach to blocking links was closed as Resolved about six months ago. However, a regression on the fix for the vulnerability in question seems to have occurred, and the bug is reproducible with the...

X (Formerly Twitter): Safe Redirect Bypass

Hello Team, Summary: The url below bypasses the safe redirect and redirects directly to the malicious website. http://evil.org/%00 The reason for this may be the fix in the report 921286. Steps: Tweet the url below: http://evil.org/%00 Thanks! @cyanpiny Impact The attacker can direct the victim...

X (Formerly Twitter): User input validation can lead to DOS

Hi Security Team, Summary: There is no limit to the number of characters on phone numbers and using this you can perform a DOS Attack Description: On the input form of phone number in https://twitter.com/account/complete there's no Input validation using this you can send more payload and may cau...

X (Formerly Twitter): Periscope-all Firebase database takeover

Hello, I found one public Firebase database of periscope.tv and I can able to insert data to this database and i only used it once for the testing purposes, so other database queries also possible. Please follow the below link to check the inserted test data. Periscope-all Firebase URL :-...

X (Formerly Twitter): Protected Tweets setting overridden by Android app

Summary: Protected Tweets setting overridden by Android app Description: The Android app overrides the "Protect your Tweets" setting set from outside the app in some cases when changing other settings. Steps To Reproduce: 1. Log in to an account with unprotected tweets on the Android app. 1. Log ...

X (Formerly Twitter): HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter

Overview The imagesrc parameter on amp.twimg.com accepts images from any arbitrary host, therefore, enabling attackers to supply image destinations that respond with a "HTTP 401 Unauthorized" response. Description HTTP 401 attacks occur when there is no whitelisting or proxying images and/or page...

X (Formerly Twitter): [██████████.gnip.com] .htpasswd disclosure

Greetings, There is a .htpasswd disclosure on your subdomain : - Go to : http://█████████.gnip.com/.htpasswd - previewgnip:██████ F173925 Fix : Protect the htpasswd file...

X (Formerly Twitter): Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ]

The reporter discovered a bug related to the Vine Archive which had the potential to expose the email address or phone number associated with a Vine account to a third party through the Vine API. The vulnerability was discovered by the reporter, triaged, and remediated within 24 hours of the...

X (Formerly Twitter): Full Path Disclosure at 27.prd.vine.co

27.prd.vine.co had DNS pointing to an EC2 instance which had a path disclosure. The EC2 instance was previously owned by Vine but had been deallocated and later re-allocated to a new Amazon customer...

X (Formerly Twitter): View liked twits of private account via publish.twitter.com

https://publish.twitter.com/?url=https://twitter.com/privateaccountid/likes POC: Private account https://twitter.com/testprivateacc1 https://publish.twitter.com/?url=https://twitter.com/testprivateacc1/likes...

X (Formerly Twitter): [Studio.twitter.com] See someone else pics

Hi Team, Below URL is missing authorisation where user A who is not having access to user B's data is able to view the video/pics by user. Vulnerable request: GET /1/library/list.json?accountid=4503599659510351&ownerid=12&limit=20&offset=0 HTTP/1.1 Host: studio.twitter.com User-Agent: Mozilla/5.0...

X (Formerly Twitter): Sub-Domain Takeover

Hey ! Your subdomain web.mopub.com is pointing to DYN but you have not claimed it on DYN end. So what happens here is actually that, since web.mopub.com is pointing to DYN, DYNis actually checking if there's a host with that name. Which in this case was not true. So I was able to claim the domain...

X (Formerly Twitter): Reporting user's profile by using another people's ID

Hello , I'm Hussein .. Here is the video of the POC : https://www.youtube.com/watch?v=1UQmGRfDoYE The link I used in the video : https://twitter.com/safety/reportstory?source=reportprofile&reporteduserid=ID TO REPORT&reporteruserid=REPORTER's ID Please fix this fastly : Thanks, Good day :...

X (Formerly Twitter): POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com

Hi! Looks like there is SSLv3 Padding Oracle vuln on: 199.16.156.44, 199.16.156.108, mx4.twitter.com...

X (Formerly Twitter): Open redirection in fabric.io

Hi dear, Once the person is logged into his account he can be redirected to any website . https://www.fabric.io/login?redirecturl=@ for example : https://www.fabric.io/[email protected] Tested on updated firefox and chrome...

X (Formerly Twitter): ads.twitter.com xss

Cross-Site Scripting vulnerability exists in cardname parameter when creating/cloning a card via script https://ads.twitter.com/accounts/18ce53wrkma/cards/new?cardtype=7. Here is the simple test vector: alertdocument.cookie After the card is created XSS becomes persistent and can be triggered via...

X (Formerly Twitter): password sent over HTTP

URL: http://lb.vine.co/login you need to use HTTPS and enforce it :...