A flaw in Twitter allowed attackers to access locked accounts bypassing the locking mechanism implemented by the company.
Twitter can lock user accounts every time it believes the users are abusing its services for activities not allowed by the usage policy or for security reason, if the company identify suspicious behavior which could indicate that an account may have been hacked.
In order to unlock the account, the owner needs to confirm his identity by providing some information, such as the email address and the phone number.
The security expert Aaron Ullger devised a method to bypass the Twitter account locking mechanism by adding the targeted account to a mobile device.
“I recently found a flaw in the lockout mechanism Twitter has in place to protect accounts from unauthorized access. This flaw resulted in a complete bypass of the verification page which is presented to users if their account is locked.” reads the post published by Ullger.
The researcher added the Twitter locked account to his iPhone via the mobile Settings page, then it was enough to install the Twitter app on the device to get full access to the account.
Ullger explained that even with this procedure the account remained locked on the Twitter website. In order to complete the bypass procedure, the attacker needs to retrieve the information to unlock it. In order to achieve his goal, Ullger used the iOS Twitter app to access the account’s settings and get the email address and phone number of the legitimate owner of the account. At this point, the attacker can unlock the Twitter locked account by starting the official verification procedure.
“After some more failed attempts, I remembered that it was possible to add your Twitter account to your iPhone through device settings.” wrote the expert. “
“The settings option for Twitter (which allows you to add/remove Twitter accounts) is present on your phone even if you’ve never installed the Twitter app before. “I was able to add my locked Twitter account to my device through settings without any problems.”
The researchers highlighted that the exploitation of the flaw was useful when an attacker who had stolen the targeted user’s credentials wants to prevent being locked out of the account.
“I was then able to submit this information on the verification page I was previously displayed, which allowed me to login to the desktop Twitter site as well. The locked flag was then completely removed from my account.” Ullger wrote in a blog post.
“An attacker with knowledge of a locked account’s credentials would’ve been exploitable this issue to gain complete access to the victim’s profile.”
Below the timeline of the vulnerability:
- Oct 7, 2016 – Report sent
- Oct 7, 2016 – Report triaged by Twitter
- Oct 11, 2016 – Issue marked as fixed, report resolved by Twitter
- Oct 14, 2016 – Bounty awarded
The flaw was reported to Twitter on October 7 and it was patched a few days later. The researcher said he received an unspecified bug bounty for his work.
Twitter launched a bounty program in 2014, it is run on the HackerOne platform and bug hunters could earn up to $15,000 for most severe issues.
Since 2014, Twitter has paid out a total of more than $600,000 for 600 vulnerabilities.