I recently found a flaw in the lockout mechanism Twitter has in place to protect accounts from unauthorized access. This flaw resulted in a complete bypass of the verification page which is presented to users if their account is locked.
An attacker would’ve required previous knowledge of the victim’s account password to exploit this issue.
Twitter usually restricts access to your account if suspicious login activity is detected.
When your account is locked, you are presented with a verification page upon login where you have to enter the email address or phone number linked to the account to regain access.
When testing potential bypasses, I first tried logging in via mobile.twitter.com, where I was presented with the above-mentioned verification page. I then tried logging in via tweetdeck.twitter.com, which brought me back to the verification page once again.
After some more failed attempts, I remembered that it was possible to add your Twitter account to your iPhone through device settings.
The settings option for Twitter (which allows you to add/remove Twitter accounts) is present on your phone even if you’ve never installed the Twitter app before.
I was able to add my locked Twitter account to my device through settings without any problems.
OK, Cool. We have a partial bypass.
After authenticating through Twitter settings on my phone, I was able to do pretty much everything on my account, however, my account was still locked on the desktop Twitter site, preventing me from being able to change my email address/password.
To escalate this issue to a complete bypass, I would still need to get past the verification page presented to me on the desktop Twitter site.
I downloaded the Twitter app for iOS and found that my account was already logged in and ready to use. I navigated to account settings and found that the email address and phone number linked to my account were listed right there.
I was then able to submit this information on the verification page I was previously displayed, which allowed me to login to the desktop Twitter site as well. The locked flag was then completely removed from my account.
An attacker with knowledge of a locked account’s credentials would’ve been able to exploit this issue to gain complete access to the victim’s profile.
- Oct 7, 2016 – Report sent
- Oct 7, 2016 – Report triaged by Twitter
- Oct 11, 2016 – Issue marked as fixed, report resolved by Twitter
- Oct 14, 2016 – Bounty awarded