Twitter’s recently announced bug bounty program has helped the company identify and patch a serious vulnerability that could have potentially disrupted advertising on its platform.
The flaw would have allowed hackers to delete credit cards associated with accounts on ads.twitter.com, the control panel through which advertisers manage their campaigns on Twitter, according to Ahmed Aboul-Ela, the security researcher who found the issue and reported it to the company.
Exploiting the vulnerability only required sending a specially crafted request to a specific URL containing a six-digit ID assigned to a credit card stored on the platform.
A blackhat hacker could have written a simple script in Python to send requests in a loop and iterate through all possible ID combinations to delete credit cards from all Twitter accounts, Aboul-Ela said in a blog post. This could have halted ad campaigns causing financial losses for Twitter, he said.
The researcher started searching for vulnerabilities in the platform after reading about Twitter’s new bug bounty program. The company announced on Sept. 3 that it will start paying a minimum of US$140 per vulnerability to researchers who privately report flaws they discover in its Web services and mobile apps.
According to Twitter’s page on the HackerOne bug bounty platform, the company paid Aboul-Ela $2,800 for his report, the highest reward it has issued so far.
This incident enforces the idea that bug bounty programs are a successful method of incentivizing researchers to search for vulnerabilities and report them responsibly to the affected companies.
Vulnerability reward programs have come a long way since 2010, when Google became one of the first Internet companies to launch such a program for its online services. Many companies have since followed suit including Facebook, Yahoo, PayPal, Mozilla and Twitter. Today there are even platforms like HackerOne, Bugcrowd and CrowdCurity that can help smaller companies set up their own bug bounty programs.
However, while a well-resourced and implemented bug bounty scheme can be very useful, a poorly managed one can do more harm than good, according to Ilia Kolochenko, CEO of penetration testing firm High-Tech Bridge.
Companies should be aware that a vulnerability reward program will likely attract scans and probes from inexperienced vulnerability hunters who might accidentally damage live systems, he said in a blog post Wednesday. Running such programs also requires dedicated, well staffed security teams who can investigate the often poorly documented reports and figure out where the problem lies, he said.