Social media has become a powerful tool of communication that connects us around the world. However, it has come to light in recent years that many of these platforms are vulnerable to security threats such as identity and data thefts. One of the most prevalent of these security vulnerabilities is called an Insecure Direct Object Reference (IDOR). This vulnerability occurs when an application does not properly check for authorization or authentication for certain requests made on the platform.
Twitter, one of the most popular social media networks which is used by millions of users daily, has recently been the subject of multiple IDOR security incidents. In December 2019, a researcher found an IDOR vulnerability in tweets from companies that have multiple user accounts on their platform. This incident allowed the researcher to access different user accounts, regardless of whether or not they had authorization credentials.
In May 2020, Twitter disclosed another major IDOR security incident where over 130 million records containing users’ phone numbers were leaked due to the exploitation of an IDOR vulnerability. The breach was discovered by an individual who had accessed a large number of records after manipulating the system’s API.
There have been multiple attempts to address this crisis, but Twitter has yet to take complete responsibility and develop a more secure system. It is therefore advised that users use caution while using the platform and keep their personal information safe and secure at all times. Moreover, any suspicious activity should be reported promptly to prevent any further damage. Ultimately, being aware of current security vulnerabilities is key in protecting yourself from malicious activity on social media providers such as Twitter.
This past year, “IDOR,” or Insecure Direct Object Reference vulnerabilities, have became a major issue for many of today’s most popular online networks, including Twitter. IDOR is an attack vector that targets applications in which the user can access data without authorization by exploiting the way they were designed.
A July 2019 report by Imperva highlights “Twitter’s IDOR vulnerability” as being among the most common IDOR issues found online. This vulnerability could allow attackers to gain access to Twitter users’ personal information and manipulate their accounts without valid authentication.
For example, if someone attempts to access their account with an invalid input, their browser’s address bar can reveal the user’s ID number. This makes them vulnerable to malicious users who can enter that number directly into the address bar, bypassing any security features that have been implemented.
Twitter has taken steps to reduce the impact of such IDOR vulnerabilities, but it’s not enough. In August 2019, researcher Jonathan Leitschuh discovered a bug in MacOS’ implementation of Twitter for desktop that allowed malicious websites to exploit the credentials of any Twitter user that visited them. Fortunately, Twitter was able to quickly patch the issue, but it highlights how easily users can be exposed to such exploitation.
The TweetDeck platform owned by Twitter experienced exposure to an IDOR vulnerability in January 2018. This case involved two accounts belonging to a single user where one could view details of the other without authorization. Fortunately, this issue was resolved fairly quickly by Twitter engineers.
As we continue to move towards more connected digital lives and social networks, it’s important that companies like Twitter continue protecting its users from such critical vulnerabilities. It’s paramount that web applications embrace secure coding practices such as avoiding code injection attacks and sanitizing input data as much as possible in order to assure users are safe from potential risks associated with IDOR exploitation on platforms such as Twitter.