Hacker News new | comments | show | ask | jobs | submit login

It's something like this (I don't know if you already knew):

1. Try to search this http://goo.gl/dHHsU on Google. You'll find (at the time of writing) 90.300 results.

2. Find an URL like this https://twitter.com/account/confirm_email/[username]/[XXXXX-...

3. Change the URL like this https://twitter.com/account/not_my_account/[username]/[XXXXX...

Twitter "not_my_account" vulnerability:

- Information disclosure vulnerability: you'll see the email of the Twitter user [username]

- DoS vulnerability: you can click on the "I did not sign up for this account" button. After that, the Twitter user [username] email will be removed from the [username] account.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact