mert tasci
Follow
Mar 11, 2023
—
twitter sent an e-mail to you when someone followed you when someone favorited your tweets etc.
you can unsubscribe the twitter notifications by clicking the “unsubscribe” button in the footer of the mail. then it will redirect you to the following link:
the “uid” parameter contains your twitter account’s id value. i changed this parameter with another user’s id value but my idor test was not successful. (of course, it will not be. lol)
i created a link as follows after a while:
i added another “uid” parameter again to the link. first “uid” parameter is my twitter user id value and the second “uid” parameter is the victim user’s id value. (anyone can access to id value of any user from his profile page.)
that’s it!
i can unsubscribe any user’s e-mail notification. also, you can access my poc video.
bug timeline
reported. — on 2015–08–23
twitter sent a first response. — on 2015–08–25
twitter marked it as “triaged”. — on 2015–08–26
twitter confirmed it and rewarded me. — on 2015–08–29
twitter resolved it. — on 2015–08–30
web hacking 101
also, you can read this bug and more in peter yaworski’s great book! web hacking 101