A critical vulnerability in Twitter’s advertising service that allowed a researcher to delete credit cards from any Twitter account.
According to The Hacker News, two different vulnerabilities were found in ads.twitter.com, and the first flaw exists in the delete function of credit cards in the payments method page. By choosing the “Delete this card” function, an ajax POST request is sent to the server.
“All I had to do is to change those two parameters to my other twitter account id and credit card id , then reply again the request and I suddenly found that credit card have been delete from the other twitter account without any required interaction,” Aboul-Ela wrote. The page response was “403 forbbiden” but in actual, the credit card was deleted from the account.