Sensitive Information Disclosure https://cards-dev.twitter.com
Medium
X
X (Formerly Twitter)
Submitted None
Actions:
Reported by
hassham
Vulnerability Details
Technical details and impact analysis
Dear Twitter Team,
While researching through one of your domain cards-dev.twitter.com i discovered that the host is disclosing sensitive information when a user browses to a specific directory
https://cards-dev.twitter.com:443/keys/.
The application downloads a file json.json which discloses the following information
`"customer_key":"████"`
`"customer_secret":"█████████"`
`"jira_password":"██████"`
I am checking that can this information be used to further escalate any vulnerability.
Regards,
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$280.00
Submitted
Weakness
Information Disclosure