
$3k Bug Bounty – Twitter's OAuth Mistakes - edent
https://shkspr.mobi/blog/2018/12/twitter-bug-bounty/
======
philpem
Well done for getting them to pay up!

This looks a lot like the one I found a while back (after falling victim to it
myself and spending a few weeks looking for it). Reported it through HackerOne
and thanks to a shirty Twitter developer and his boss, got a permanent ban
from HackerOne.

Needless to say, if I find anything else of this magnitude, I'll be keeping it
to myself.

~~~
edent
I'm sorry that happened to you. I've had mixed success with the large bug
bounty sites. Some companies are clearly there as a fig-leaf, and others are
unable to handle the large volume of reports they get. But I've found most to
be good.

~~~
philpem
Yeah I've seen a few patterns with the worse companies...

    
    
      * "We've already fixed it" (we haven't but we don't want to pay up, and a fix mysteriously appears a month or three later)
      * "This is not eligible" (we don't actually care)
      * Silence
      * Legal threats ("send us your address so we can send you something for this", and a C&D turns up)

------
popotamonga
Why do many popular sites have bugs in Oauth? Isn't there a standard
implementation or lib?

------
jakejarvis
Just ran across this when browsing HackerOne for fun last night. Bravo, great
job!

