Malicious code in scopely-mopub-aacebookaudiencenetwork-adapters (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware aee14242e10a022c5151238ed0900d84007af9d10e3916aa39cc78066f58e2cc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

X (Formerly Twitter): Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques}

Summary I tried to guess on my account. I sent out nearly 1,000 requests, and I was virtually banned on request about 120. But when I changed my IP and tried logging in, I was logged into the account without any additional checks Description: Your web authentication endpoint,...

X (Formerly Twitter): XSS on https://app.mopub.com/reports/custom/add/ [new-d1]

Parameter new-d1 Payload Steps to reproduce 1. Go to URL: https://app.mopub.com/reports/custom/add/ 2. Start burp suite proxy, intercept on. 4. Enter payload in vulnerable parameter. 3. click on Run and Save button. 4. You will see java-script getting executed. POST Request POST...

X (Formerly Twitter): XSS and Open Redirect on MoPub Login

Summary: I found open redirect at the MoPub login page, https://app.mopub.com/login?next=https://google.com. It also allows javascript URIs, leading to XSS. Description: You can modify the "next" URL parameter to redirect to any website upon logging in on MoPub. Steps To Reproduce: 1. Take this...

X (Formerly Twitter): Stored XSS in https://app.mopub.com

Vulnerable URL https://app.mopub.com/reports/custom/ XSS Payload: " Parameter nrnew-interval Steps To Reproduce: 1. Login with your credentials. 2. Go to URL: https://app.mopub.com/reports/custom/ 3. Click on New Network Report = Create a new network performance report. 4. Start Burp suite proxy...

X (Formerly Twitter): Reports Modal in app.mopub.com Disclose by any user

Summary: I sent this report and closed it "Informative" and asked me to send a new report if more information was available for exploitation 544278 Description: Twitter allows "mopub" users to create reports, and each report gives a unique ID to reach it, The report information is displayed by...

X (Formerly Twitter): IDOR and statistics leakage in Orders

Description: Twitter on its service "MoPub" statistics dedicated to the results of "Order", after the test shows that the endpoint "https://app.mopub.com/web-client/api/orders/stats/query" is infected with a "IDOR " bug Which led to the leak of private statistics "Orders" by another users Steps T...

X (Formerly Twitter): Multiple XSS on account settings that can hijack any users in the company.

Note: Hello Twitter Team, I just noticed that my report 485748 is already fixed, can you confirm? but my other duplicate reports aren't and still exists. 492444 492913 are you sure it's on the same root cause? because I think the broad fix is already released but didn't fix the other issues. I wi...

X (Formerly Twitter): Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass)

Hi Team, This looks like a very critical issue so you should fix it ASAP. Steps to reproduce : 1.Go to your mopub account and create a segment in your network. 2.You will get a segment ID now. 3.Now Go to the API link : https://app.mopub.com/networks/v2/api/segment/Segmentid Note : page will take...

X (Formerly Twitter): File Upload XSS in image uploading of App in mopub

Hi Team, I want to report a File upload XSS in your Image upload functionality of Apps in mopub. Server doesn't check whether you are uploading a jpg/jpeg files and it upload the file on image.mopub.com . POC link : https://images.mopub.com/appicons/126cb3308e1a464385a49c4c7aaeac56 Steps to...

X (Formerly Twitter): IDOR- Activate Mopub on different organizations- steal api token- Fabric.io

Hello, There is an option to enroll your organization in fabric.io for mopub , but this particular end point is missing proper authorization checks allowing any user to steal API tokens. Vulnerable request ================ POST /api/v3/organizations/5460d2394b793294df01104a/mopub/activate HTTP/1....

Twitter Launches Digits – A Password Free Login Service For App Developers

There’s a good news for app developers. On Wednesday at Twitter’s first annual developer conference Flight, the company announced a new tool for developers which will allow users to log-in to mobile applications using their phone numbers rather than a traditional username and password combination...

X (Formerly Twitter): XSS ON MOPUB.COM

PERSITENT XSS ON MOPUB.COM STEPS TO REPRODUCE: 1. go to order 2. type in the advertiser " and then press tab 3. PAYLOAD RUNS...