$1120: ATO Bug in Twitter’s

Explore the story of a $1120 Twitter bug, I found — a security flaw that allowed attackers to seize full control of accounts without knowing the password.

Everyone who is reading this,I think aware of twitter. A couple of months after starting my bug bounty career, I found this bug in Oct. 2020. This bug is about, How an attacker was able to delete phone number and add this number, change password and full control over a account which they had partial access via sessions hijacking or cookie grabbing.

The Twitter Flow

Imagine you’re using Twitter, and suddenly, a hacker hijacks your session. It’s a scary scenario. But Twitter has implemented an extra layer of protection. When trying to make significant changes, like altering your phone number or disabling two-factor authentication (2FA), the hacker would typically be prompted to enter your account password. This would pose a challenge because they don’t have your password. However, there’s a twist to this story.

The Flaws

I discovered a some flaws that enables a hacker with a hijacked session to bypass the password screen. This means that even though they don’t know your password, they could still make changes to your Twitter account.

How It Works:

Here’s how this vulnerability plays out:

  1. A session hijacker attempts to change your phone number or disable 2FA.
  2. Twitter usually requires a password confirmation to make these changes, but there’s a crucial issue.
  3. When deleting the phone number, 2FA gets disabled, but the session still recognizes 2FA confirmation.
  4. But for deleting the Phone Number attacker require password, so i found a alternate rote i explore twitter setting then.
  5. I found something interesting, To understand how this works, let’s break it down step by step:
  • Navigate to “Security and Privacy” in Twitter settings.
  • Go to “Notification” and select “Preferences.”
  • Choose “SMS Notification” and select the top phone number. Note that there’s no password confirmation to remove it, so proceed to delete.

So Now we are half way done Now the Phone Number is deleted and the 2FA is disable now i have to find a way to add phone number without password.

I found a curios URL’s which allow me to bypass the password screen to add the phone number through 2FA enabling process.

  1. Now, go back to settings and select “Security and Account Access.”
  2. Under “Security,” select “Two-Factor Authentication,” and choose “Text Message.”
  3. But the password screen come in front.
  4. Now its time to use our magic URL, i use the https://twitter.com/account/access?feature=two_factor_auth_totp_enrollment&initiated_in_iframe=true
  5. When the page get load i directly entered into a step of adding phone number without password.
  6. Now, what i add phone number, verify OTP and start 2FA.
  7. So this is how my Phone Number gets added in the victim account.

Now you would be curious how it become the ATO.

So lets move to our final step.

  1. I logout the ID and move to forget password page.
  2. Enter the phone number which i update above.
  3. Get the OTP on phone.
  4. Change the password.
  5. Now, I have full control over victim account

The Bounty Reward:

Discovering a security vulnerability is one thing, but the true value lies in responsible disclosure and collaboration. Twitter, recognizing the significance of this security concern, acknowledged my findings.Twitter awarded a bounty of $1120 as a token of appreciation.


The takeaways from this article are to understand the flow of an application, then find a flaw figure out how to exploit those flaws in order to perform a task that requires authentication. It demonstrates that by understanding these flaws and their potential manipulations, one can gain valuable insights into bypassing security measures.

Leave some clap if you enjoyed this read, leave your feedback in comment and consider following me for more exciting findings.

Find me on Twitter: @a13h1_

Thank you everyone

Keep Supporting, Keep Clapping, Keep Commenting.

Leave a Reply