back to article Credit card cutting flaw could have killed EVERY AD on Twitter

Twitter has patched a flaw in its service that allowed unauthorised users to delete every credit card from all accounts, potentially relieving the company of its advertising revenue, security researcher Ahmed Aboul-Ela says. The attacks worked through a direct object reference vulnerability and involved the manipulation of …

  1. Anonymous Coward
    Anonymous Coward

    I'm a little out of the loop of social networking, but why does Twitter have CC numbers? Do social network sites require you to buy your friends?

    1. enerider

      I could be wrong...

      ...but I'm thinking this is to do with the advertising agencies' ability to buy advertising spaces on Twitter?

      1. big_D Silver badge

        Re: I could be wrong...

        That's what invoices are for...

    2. Test Man

      You can "promote" your Tweet for a fee.

    3. Gene Cash Silver badge

      How do you think you get the little "verified by twitter" flag?

  2. Sanctimonious Prick

    He Got Too Much

    Should of been $2,600 :D

    1. FlatSpot

      Re: He Got Too Much

      Should HAVE been

      1. John Brown (no body) Silver badge

        Re: He Got Too Much

        Yes, it's strange how many people can't spell should've, could've etc. and can't even manage to get the mis-spelling phonetically correct.

        1. VinceH Silver badge

          Re: He Got Too Much

          The problem is that there are people who do actually say "of" instead of "have" or "'ve" - I hear it often. And they are definitely saying "of" - it's not me mishearing them. I suspect the origins lie further up the line where they've heard people saying "should've" etc, and actually thought they were saying "should of" etc, and that then gets repeated and offspring/other family members pick up on it and perpetuate it further.

          So when someone writes "should of" instead of "should've" - it might not be that they can't spell, instead it might be that they actually think it should be "should of", and actually say it that way.

          1. Anonymous Coward
            Anonymous Coward

            Re: He Got Too Much


            "So when someone writes "should of" instead of "should've" - it might not be that they can't spell, instead it might be that they actually think it should be "should of", and actually say it that way."

            I think that nails why you see so much of this now. My take is that people increasingly have what might previously have been informal pub etc conversations online in forums, comments, twitter etc, and do so using pretty much the language and tone of a conversation. They may be fairly eloquent speakers, but they end up using words and phrases they've never encountered in written form and have made assumptions about what is actually said, with speech tending to gloss over minor slips - particularly after a few beers - whereas text is unforgiving. Before net use was widespread, most people wrote little beyond occasional formal correspondence, so it just wasn't an issue that came up anyway.

            I've occasionally had something similar with words read in books as a kid that I've never had reason to say or heard spoken, and when I do my pronunciation is way off. My German girlfriend, who speaks almost flawless and accent free english, finds herself constantly tripping over herself when trying to use english idioms (which she loves) in emails; she keeps finding phrases she likes, but has misheard repeatedly, and although she broadly understands the meaning and context, the words are completely wrong to the point of being unrecognisable as an attempt at the original phrase. It can get surreal. She's now getting very twitchy when one of her German colleagues keeps repeatedly using "to my opinion" in emails rather than "in".

            ... Whoops, just realised this is a year old thread - must pay more attention!

        2. BrownishMonstr

          Re: He Got Too Much

          Then There's the fact that misspelling occurs without realising. Turd happens.

      2. Sanctimonious Prick

        Re: He Got Too Much

        Apologies. I did hesitate, thinking should it be HAVE or OF. I just flipped a coin.

        Didn't enjoy English at school :(

        1. Looper

          Re: He Got Too Much

          Not so sanctimonious now are you Mr. Prick?

  3. Mephistro Silver badge


    And it's the biggest prize to date??? How many security specialists/hackers have discovered similar flaws and decided to keep them secret, because either they consider these amounts a pittance and an insult, or they reckon they'll be able to gain much more by selling these flaws to the highest bidder or exploiting the flaws themselves?

    Twitter are a bunch of cheapskates -like most other companies with similar bug hunting programs- and this will bite them in the ass sooner than later.

  4. Allan George Dyer Silver badge

    A Win for Users

    Fantastic! A researcher discovers a vulnerability, reports it, the company concerned immediately fixes it and pays a reward. This is going to start a positive trend in responsible reporting, with security benefits for end users.

    Oh, no, wait... nevermind.

    Where's the cynic icon?

  5. Lionel Baden

    only 2800

    wonder if he will help them next time or just turn to the dark side ???

    considering the financial loss potential they could of shown a bit more gratitude.

    1. Monty Cantsin

      Re: only 2800

      Would have been more apt if it was 2600.

    2. tomban

      Re: only 2800

      Over 9000?

  6. John Smith 19 Gold badge

    Actually this is an error I'd quite like to see more of.

    Doesn't hurt the user.

    f**cks the company big time.

    Of course if you haven't worked out by now that you are the product Twitter is selling to its' customers, the ad buyers, you're pretty dumb.

    1. Brewster's Angle Grinder Silver badge

      Re: Actually this is an error I'd quite like to see more of.

      Hey, at least somebody thinks I'm worth it!

  7. Pascal Monett Silver badge

    So this is the situation

    Flaw implicating flow of money to company : fixed in weeks or less

    Flaw implicating security of personal information of many thousands of users : might be fixed in months or years

    Yup, that sounds like capitalism all right.

    1. Anonymous Coward
      Anonymous Coward

      Re: So this is the situation

      Kind of but not really, it has to do with the consumers tolerance to certain issues.

      Consumers are far more touchy about risks to money than "personal information", and not only consumers but banks, governments, the police, and many others.

      Also what personal information does one store in a private place in twitter?

  8. Mike 16 Silver badge

    Trusting Data you send to users?

    So, let me get this straight, Twitter uses easily guessable URLs in a small namespace to carry information that they just _assume_ the user/client has not messed with?

    Reminds me of the days when the power company would send out actual IBM cards with your account number and amount due (with "Do not Fold, Spindle, or Mutilate" printed on the face, of course), and _some_ folks would "X-punch" the amount before returning the card with their payment. Just be careful not to run up too much credit.

    Not that I would ever do such a thing. Oh, no, I'm just too honest and anyway not that old. Grandpa told me that story as a cautionary tale about trusting data that comes back into the system. Yeah, that's what he said.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019