Bypassing Twitter’s account lockout mechanism

This post details a vulnerability that allowed for a complete bypass of Twitter’s account lockout mechanism; which is responsible for locking an account when suspicious login activity has been detected.

If your account was locked due to suspicious login attempts, you would be presented with a verification page upon signing in where you would have to enter the email address or phone number linked to the account to be able to regain access to it.

While looking for potential bypasses, I first tried logging in via mobile.twitter.com, where I was presented with the above-displayed verification page. I then tried logging in via tweetdeck.twitter.com, which brought me back to the same verification page once again.

After some more failed attempts, I remembered that it was possible to add a Twitter account to your iPhone/iPad through device settings.

The settings option for Twitter is present on your phone even if you’ve never installed the Twitter app before.

I was able to add my locked account to my phone through device settings without any prompts or issues.

An attacker would’ve required previous knowledge of the victim’s account password to exploit this issue.

OK, Cool. We have a partial bypass.

After having authenticated through the settings option on my phone, I found that my account was still locked on the desktop site, preventing me from being able to change the email address and/or password on my Twitter account.

To escalate this issue to a complete bypass, I would still need to get past the verification page presented to me on the desktop Twitter site.

I downloaded the Twitter app for iOS and found that my account was already logged in and ready to use. I navigated to account settings and found that the email address and phone number linked to my account were listed right there.

I was then able to submit this information on the verification page I was previously displayed, which allowed me to successfully login to the desktop Twitter site as well. The locked flag was then completely removed from my account.

An attacker with knowledge of the credentials to a locked Twitter account would’ve been able to exploit this issue to gain complete access to the profile.