How I earned 5040$ from Twitter by showing a way to Harvest other users IP address

Prial Islam Khan
Nov 7, 2018 · 2 min read

Hi guys ,

This is Prial Islam a security researcher from Bangladesh . This is a old finding of mine adding into my blog . Recently I disclosed a POC on How I was able to get all vine users sensitive Information including Phone no/ IP Address / Emails and Many more what was reported to twitter and they patched it and rewarded me 7560$ . Those who missed it you can get the Orginal Report Here .

Today I am going to disclose another Information Disclosure vulnerability what was reported by me to Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with a amount of 5040$ for this report .

When I testing vine API Endpoints I noticed a Endpoint what uses in Vine Repost mechanism have a Parameter Named “ipAddress” with some plain Number value Like :- 2130706433 . We all know Ip Addresses look like :- . But the value of the “ipAddress” looks invalid . Then when I tried to search about it on google I came to know that the value is valid . Actually it was Converted to IP Address to Long/Decimal format . So I used a Online Converter tools and was able to get the real Ip . ( Online Converter I used )

Vulnerable Endpoint :<POST ID>

Reproduce :

  • TO reproduce this issue victim User have to repost any vine in his timeline and a lot of vine users reposted many Vine post in their timeline .
  • So Copy a Reposted Vine POST ID and place it in the Endpoint and visit it . Example :
  • Now when I visited the link I got a response like below (The sensitive contents were removed by twitter security team ) :-
“repost”: { “username”: “██████”, “verified”: 0, “vanityUrls”: [], “created”: “█████”, “repostId”: ████████, “avatarUrl”: “██████”, “userId”: ████, “user”: { “username”: “█████████”, “verified”: 0, “vanityUrls”: [], “avatarUrl”: “█████████”, “userId”: ████, “private”: 0, “location”: █████████ }, “flags|platform_lo”: 1, “postId”: ███, “ipAddress”: 2130706433 , “flags|platform_hi”: 1 }
  • As you can see the ipAddress parameter value is converted now Just Use my give online tool to again convert it to valid ip address value .

I reported this issue in Jan 26th and they paid me 5040$ for reporting this on Feb 25th .

$$$$ 👊

Thanks for reading . Happy Hunting .

Prial Islam Khan

Written by

A teenager boy with passion of Breaking Security .

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade