giftimage.blogg.se - Idle big devil hack

#IDLE BIG DEVIL HACK CODE#
#IDLE BIG DEVIL HACK FREE#

How? I found a basic yet harmful vulnerability.īasically - all API requests on were sending Twitter a parameter named “owner_id”, which was the Twitter user id (publicly available and sequential) of the logged-in user. What’s worse was that I could upload content/media from any account, delete videos other accounts had posted, and even access private files people had exchanged and uploaded on Twitter. Unsurprisingly, I found the bug that allowed me to post any tweet from any account I wanted. So in 2016, when Twitter launched Twitter Studio, just out of habit, I started to look for security loopholes before bad boys could. It can get you fired from your job/project, make you go viral or break you overnight, or even overthrow companies and governments sometimes. Twitter, I feel, is more than just a social network. My curiosity not only led me to a handsome bounty of $5,040 but also put my name on the map of Twitter's top 3 researchers in the world (the first one from India). Imagine the kind of mayhem that could create for any innocent Twitter user. I once reported a bug on Twitter that let anyone post anything from the user’s profile.

Want to know the details of how I did it? We play devil's advocates all the time and so we're able to safeguard corporates and customers the way we do.

#IDLE BIG DEVIL HACK CODE#

We understand how hackers think and operate, and this understanding gives us a very unique perspective on solving security code issues.

Have more checks on CI/CD to detect issues early on, this needs to be done before things get pushed to production which enables shift-left security.īut, I know you might still be thinking, how did such a large issue go unnoticed by the team? Well, that's where the expertise of an ethical hacker like me comes in.

Consistent security assessments are required for finding new flaws like this so engage with an external community of hackers, there is nothing like 100% security.

Do proactive security for vulnerability discovery and since most of the tools would miss this, there is a need for testing your applications manually.

I of course ended up alerting Uber about this and they fixed the bug the same day, curbing numerous potential issues in the future.Īlthough It felt extremely good to find and report this bug, issues like this are recurring and present many hard problems for brands such as revenue loss, so here are some points for brands to safeguard their applications:

( I even made a video to show proof-of-concept to show that all I had to do was specify an invalid payment method, expressed in a simple string of characters like "abc" or "xyz," and not be billed for the ride.) All I had to do was - book a ride and use an invalid payment method and the ride ended up going through as free. I was able to take several trips in the US and India without paying any money, all thanks to this bug(after taking due permission from team for replicating this bug).

#IDLE BIG DEVIL HACK FREE#

Killing an Uber bug that gave anyone, absolutely anyone, free rides for life: another "ethical hacker" story for you.īack in 2017, while trying to routinely check up on applications that are used by everyday people to find anomalies in codes, I started looking at Uber as an interesting case study.Īn application that is used by over 131M people in the world, I was curious if there could be any issues that would interest other hackers and I went down the rabbit hole of searching for vulnerabilities in the code.