How I earned 5040$ from Twitter by showing a way to Harvest other users IP address

Hi guys ,

This is Prial Islam a security researcher from Bangladesh . This is a old finding of mine adding into my blog . Recently I disclosed a POC on How I was able to get all vine users sensitive Information including Phone no/ IP Address / Emails and Many more what was reported to twitter and they patched it and rewarded me 7560$ . Those who missed it you can get the Orginal Report Here .

Today I am going to disclose another Information Disclosure vulnerability what was reported by me to Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with a amount of 5040$ for this report .

When I testing vine API Endpoints I noticed a Endpoint what uses in Vine Repost mechanism have a Parameter Named “ipAddress” with some plain Number value Like :- 2130706433 . We all know Ip Addresses look like :- 127.0.0.1 . But the value of the “ipAddress” looks invalid . Then when I tried to search about it on google I came to know that the value is valid . Actually it was Converted to IP Address to Long/Decimal format . So I used a Online Converter tools and was able to get the real Ip . ( Online Converter I used )

Vulnerable Endpoint : https://vine.co/api/timelines/users/<POST ID>

Reproduce :

  • TO reproduce this issue victim User have to repost any vine in his timeline and a lot of vine users reposted many Vine post in their timeline .
  • So Copy a Reposted Vine POST ID and place it in the Endpoint and visit it . Example : https://vine.co/api/timelines/users/1293308695089926144
  • Now when I visited the link I got a response like below (The sensitive contents were removed by twitter security team ) :-

“repost”: { “username”: “██████”, “verified”: 0, “vanityUrls”: [], “created”: “█████”, “repostId”: ████████, “avatarUrl”: “██████”, “userId”: ████, “user”: { “username”: “█████████”, “verified”: 0, “vanityUrls”: [], “avatarUrl”: “█████████”, “userId”: ████, “private”: 0, “location”: █████████ }, “flags|platform_lo”: 1, “postId”: ███, “ipAddress”: 2130706433 , “flags|platform_hi”: 1 }

  • As you can see the ipAddress parameter value is converted now Just Use my give online tool to again convert it to valid ip address value .

I reported this issue in Jan 26th and they paid me 5040$ for reporting this on Feb 25th .

$$$$ 👊

Thanks for reading . Happy Hunting .