Nothing is more valuable to a threat actor than being able to breach a database. Think about it. Every online account is connected to a database that stores user information: email addresses, passwords, phone numbers, payment information - the works. If these fall into the "enemy's" hands, the sky is the limit when it comes to the level of damage to affected individuals and companies.
For a moment, forget phishing, social engineering attacks, and distributed denial of service attacks. These are the attack vectors of the common rabble. Database attacks are ostensibly the golden egg of cyberattacks.
What if Facebook’s database was compromised? The price tag on a database like this sold on the black market would be mind-blowing. Nevertheless, this recently happened to Twitter. This is a data breach so extensive, that heads should be rolling.
Vulnerability Published on HackerOne in January
Unfortunately, this is arguably yet another case of when public disclosure creates a nightmare scenario, which otherwise could have been prevented. The vulnerability was discovered by an individual under the username zhirinovskiy, and published on January 1st on HackerOne, the leading bug bounty and vulnerability disclosure program.
The bug could allow an attacker to gain access to the phone number and email address connected with Twitter accounts, regardless if the user has configured the account to censor this information in their privacy settings.
However, it is important to note that the vulnerability exclusively affected Twitter’s Android client, and arose during the authentication process by exposing the user's Twitter ID, regardless of their privacy preferences.
In the report, the user zhirinovskiy explained how to exploit the bug using the Twitter app on Android devices saying:
The vulnerability allows any party without any authentication to obtain a Twitter ID (which is about equivalent to getting the username of an account) of any user by submitting a phone number/email even if the user has prohibited such an action in the privacy settings.
The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the approach used for checking the duplication of a Twitter account.
The good news is, Twitter has since patched the bug, but during the timeframe after the researcher published it, the report was discovered by an unknown threat actor. By making the disclosure public, the attacker learned of the bug and took advantage of it.
This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities
– zhirinovskiy
The initial vulnerability disclosure pretty much laid out the blueprint on how to mirror the exploit and access the information from any Twitter account. The issue escalated. Five days after zhirinovskiy’s disclosure, Twitter staff confirmed that the bug was a “valid security issue” and affirmed that they would examine and address it. After additional investigating ensued, Twitter fixed the vulnerability and awarded the researcher with a $5,040 bounty.
Unfortunately, the story doesn’t end there.
When Public Disclosure Attracts Cybercriminals
The exact attack method described by the researcher in the January report was exploited in the wild by an attacker that goes by the username “devil”, who used it to extract sensitive user data of 5.4 million users. The hacker then proceeded to sell the exploited Twitter database on a renowned hacker forum known as Breached Forums.
When contacted, the attacker explained that the hack was made possible using the information disclosed in the HackerOne report. This shouldn’t come as a surprise. If I publish my credit card information online, someone is going to take my money.
The same goes for public vulnerability disclosure.
If you publish a vulnerability to a popular platform and offer a detailed explanation of how to exploit it, someone is going to take advantage of it. It’s obvious.
While vulnerability disclosure has become a vital asset for both the researchers and the companies looking to maintain a secured environment, publicly releasing details that can offer a threat actor step-by-step instructions required to replicate an attack is itself the antithesis of the very goals these companies are seeking to achieve.
To a former black hat like me, the current disclosure methodology is arguably insane. A secure disclosure method is necessary in order to protect the integrity of sensitive information. Anything less than this creates a very real concern that opportunistic threat actors can find and abuse the disclosure report to their advantage.
An article by
Jesse McGraw
Edited by
Anne Caminer
