The first issue could have been leveraged by hackers to upload arbitrary files to Twitter’s systems. According to the expert, the flaw plagued dev.twitter.com, a website that allows developers to create applications that integrate Twitter.
“You will have a option to upload an image for that application. The uploader will check for the uploaded files to accept certain images extensions only, like PNG, JPG and other extensions won’t get uploaded,” the expert told Softpedia.
He added, “The vulnerability allowed me to bypass this security check/validation and to successfully upload .htaccess and .php files to twimg.com server. twimg.com is working as a CDN(content delivery network) which mean that every time I upload a file it will be hosted on a different server/subdomain for twimg.com.”
Under normal circumstances, a hacker who can upload PHP files to a server can execute commands on that server. However, since twimg.com works as a CDN, scripts cannot be executed on it.
On the other hand, there are still plenty of things cybercriminals can do. For instance, they can use the Twitter service as a botnet command and control server. This can be particularly efficient considering that twimg.com is a trusted domain.
Furthermore, hackers could have used the vulnerability to host their malicious files.
Hegazy says that an attacker could have damaged Twitter’s reputation by uploading a defacement page to twimg.com subdomains to make it look like they had been breached.
Fortunately, the flaw has been addressed by Twitter.
In addition to this vulnerability, the expert has also identified a vulnerability that could have been exploited by hackers to redirect users to arbitrary websites. This security hole has also been fixed by Twitter.
Twitter doesn’t have a bug bounty program yet. However, the company has added Ebrahim Hegazy’s name to its security hall of fame.
Here are the videos in which the expert shows how the unrestricted file upload vulnerability could have been exploited:
Check out the proof-of-concept video for the open redirect vulnerability:

 
No comments:
Post a Comment