Connect with us

Hi, what are you looking for?


Identity & Access

Twitter Flaw Allowed Access to Locked Accounts

Twitter was until a few months ago affected by a vulnerability that could have been exploited to bypass the social media network’s account locking mechanism.

Twitter was until a few months ago affected by a vulnerability that could have been exploited to bypass the social media network’s account locking mechanism.

Twitter can lock user accounts for security purposes if it detects suspicious behavior which could indicate that an account may have been compromised. In order to have the account unlocked, the user needs to confirm they are the legitimate owner by providing some information, such as phone number and email address.

Security expert Karan Saini discovered that this account locking mechanism could have been easily bypassed by adding the targeted account to a mobile device. The researcher added the locked account to his iPhone (via the Settings page), installed the Twitter app on the device, and he was given full access to the account.

However, Saini noticed that the targeted account remained locked on the Twitter website so the bypass had not been complete. In order to achieve a complete bypass, the expert used the iOS Twitter app to access the account’s settings and obtain the email address and phone number needed to unlock the account.

This vulnerability could have been useful for an attacker who had stolen the targeted user’s credentials, but wanted to prevent being locked out of the account.

“An attacker with knowledge of a locked account’s credentials would’ve been able exploit this issue to gain complete access to the victim’s profile,” Saini said in a blog post.

The flaw was reported to Twitter on October 7 and it was patched a few days later. The researcher said he received an unspecified bug bounty for his work.

Advertisement. Scroll to continue reading.

Twitter has been running a bug bounty program on the HackerOne platform since September 2014. Bug bounty hunters can earn as much as $15,000 for a serious remote code execution vulnerability affecting the company’s core services.

According to its HackerOne page, Twitter has so far received nearly 600 vulnerability reports and it has paid out a total of more than $600,000.

*Updated. The initial version of the article incorrectly stated that it was Aaron Ullger who discovered the flaw, when it was actually Karan Saini who found it

Related: Twitter Suspends 360,000 Accounts Related to Terrorism

Related: Twitter Pays Researcher $10,000 for Hacking Vine

Related: 32 Million Twitter Credentials Emerge on Dark Web

Related: Botnet of 3 Million Twitter Accounts Remains Undetected for Years

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...