Multi device hopping Twitter Vulnerability discovered and patched

News by Max Metzger

A bug bounty hunter has presented Twitter with a vulnerability, which it promptly patched

A new  vulnerability in Twitter has been discovered – and patched. The patch resulted  from a report issued by Karan Saini, security expert at the blog who managed to find his way around the security protections on a locked Twitter account.

Twitter, like so many social media platforms, has a number of security mechanisms for locking users out who fail basic security tests. In many cases, a number of failed requests for password entry will result in a lock screen and a request to provide additional information to verify the account holder's identity.

When Twitter locks your account, it may ask for an email address or phone number to restore access. Saini tried to get around his locked account verification screen by accessing Twitter's mobile site and then trying to access his account through TweetDeck. Both ended back in the same place: the initial verification page.  

He then tried adding his Twitter account to his iPhone, through a function that is present on the phone whether or not the Twitter app exists there. After adding the account, he wrote, he could “do pretty much everything on my account”.

His desktop account, however, was still locked – but not for long.

After downloading the Twitter app for iOS, he found that his account was already logged in. He then navigated his way to his account settings where his user information was plainly displayed. With that information, he went back to his locked desktop screen and unlocked his Twitter account.

If a malicious attacker was so inclined he or she could, though not without some difficulty, access the Twitter account of an unsuspecting user.

The issue was fixed promptly. Saini sent his report out on 7 October last year and the issue was fixed four days later.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews