Today I’m gonna show you how to verify any (unused) email on twitter account without having access to the email itself
But the important question, why to verify an email on a Twitter account ? Twitter email verification is compulsory, you can not create an account without verifying the email address to decrease the spam on twitter but that’s not actually the problem, Personally I don’t like spam bugs I don’t consider them as a security issue *sometime* however there’s a chance for a bigger problem
Real problem is: Impersonation Impersonation an act of pretending to be another person for the purpose of entertainment or fraud.
So imagine that someone is really famous as an example Ali Kabeel he isn’t that famous but let’s take him as example for now
So Ali isn’t a fan of Twitter, he has no Twitter account, but he is famous and well known, One day one of Ali’s crazy fans was able to find Ali’s email address he signed up with this email address on Twitter and verified the email without having access to the email itself using this bug.
So now any crimes made by this account on Twitter it will impact Ali Kabeel’s reputation.
But it isn’t sound like a big deal right ?
So let’s take a hint Login with Twitter
That’s actually the deal this functionality may impact Ali Kabeel in third party websites that is using “Login with Twitter” and let’s continue the story, 2 years ago Ali signed up using his email address in shikobiko.com which is using “Login with Twitter” functionality.
So the crazy fan knew about it (because he is a crazy fan) and went to shikobiko.com and clicked Login with Twitter
And boom he logged in as Ali’s account! Can you believe that?
Also it depends on a website might use this 3rd party feature in our example, “shikobiko.com” is dealing with the same email address by directly logging the user based on a trust factor which is the “email address”
You can hack any non-Twitter user in third party websites with a scenario similar to this!
The Story of the Vulnerability One day I logged in to Twitter then after logging in i went to the signup page and I got an Error, So I logged out and went to the Signup page and Guess what, The error disappeared!!
There is something wrong here, That’s so obvious.
I intercepted the server request with burp suite then logged in again and went to signup page then replied the server request that i intercepted so the Error disappeared, Then I continue the signing up process and in the email verification part i didn’t receive any verification code but what i found is that the verification code has been sent to the Email address that “i logged in with” instead of the email address that “i signed up with” so I verified the other email address without having the access to the email inbox itself and that’s it hope you enjoyed reading.
In this rare case, seems like Twitter was getting the email from something like a cookie, local storage or a server-side session which is not the best practice at all!
Building a website, API, an application or dealing with any kind of sensitive information? Anything related to the security and Safety of your business? Or already launched one without considering security? Worried about your personal security? Think twice before going public and let us protect your business!