An easy bug: The Twitter story

Photo by Jeremy Bezanger on Unsplash

When I first opened HackerOne, my thought was:-

I saw a lot of news on TV like “Barack Obama’s and Bill gate’s twitter account hacked. Hacker tweeted his Bitcoin address to fetch money from people” (I hope I remember right thing)

So I thought, if he hacked the twitter (this contained the word easily at that time), I can also hack it, so I selected it as the program to hack on.

After struggling for months, nothing came to my hand, so I decided to change my program. After few months after leaving the program, in the morning, when I woke up, a thought can to my mind

When I was struggling on twitter, I noticed that when I tweet an image, view the tweet, and delete it, the image was still accessible to me. But when I further researched it by opening it in Incognito/InPrivate window, it threw eggs on my face (rather say a 404 error), but when I opened it in normal tab (where they were cached), I saw that I can still access the image. So the simple thing came to my mind, it is cached.

Why it is a bug?

Since the user deleted the image, it means that the image contains some sensitive info, or something that the user doesn’t want the public to see it. So after the tweet gets deleted, it is the responsibility of the web-app to delete the image that was cached, but it doesn’t. So you can say that I can assign bots to monitor the profile and save every tweet/activity from the account, so is it a bug? No, because you are assigning the bots, that’s not the fault of twitter, but if the twitter is not removing the cached image, is it your fault? Again no! Its of twitter.

So, I hope that you've enjoyed this writeup (although I know that you didn’t, but wrote it as a formality), and it would have gave you an idea that they accept these type of bugs too (this isn’t a formality). If they doesn’t, you can use it escalate some other attacks, but if your signal (on H1) isn’t violated or you are okay with it, then you must submit it. Might you get some gold…

!!! Thanks for watching (since very less people like thorough reading 😅) !!!

Hope you remembered to click 👏 below.





<broken code>

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Code 423n4 — yAxis Smart Contract Audit contest

Librem 13 Protects Privacy

HackTheBox | Arkham

The boring side of testing people should be talking about more!

Cosmos Stargate Release Bug Bounty Program

New Hurdle, New Ransomware: TYCOON RANSOMWARE

The 5-Minute, 5-Step ways to exploit SMTP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shriyans Sudhi

Shriyans Sudhi

<broken code>

More from Medium

[ CVE-2021-46146 ] Stored XSS via WikibaseMediaInfo caption fields at

IDOR on Password Change Leads to Mass Account Takeover

Exploring log4j RCE vulnerability (CVE-2021–44228)

XXE Attack — QnA