Earlier this month Twitter launched a HackerOne initiative that rewarded security experts for correctly identifying serious bugs on the platform. The program pays out a minimum of $140 for any qualifying vulnerability, with no maximum reward – indeed, the bounty is scaled against the severity of the flaw.
This week Twitter has patched a hole that would have allowed a hacker to openly delete any number of account credit cards used for ad payments on Twitter, potentially costing the company millions in revenue. Accordingly, Twitter has paid out $2,800 to the security research who exposed the bug, a record bounty for the company.
Ahmed Aboul-Ela discovered two flaws that he says when combined could be used to remove all stored credit cards from all accounts on Twitter.
“The impact of the vulnerability was very critical because all that is needed to delete credit cards is the credit card identifier which consists only of six numbers such as ‘220152’,” said Aboul-Ela. “So imagine a black hat hacker who could write a simple Python code and use a simple for loop on six numbers – he could delete all credit cards from all Twitter accounts which will result in halting all Twitter ads campaigns and will incur big financial loss for Twitter.”
Aboul-Ela, who goes by the username secgeek on HackerOne, has also collected bounties from Yahoo and RelateIQ.
(Source: The Register.)