WRITE UP – TWITTER BUG BOUNTY [Report of my 1st bugbounty]: “POODLE SSLv3 bug on multiple twitter smtp servers”

Hi everyone, this is very special to me, is the report for my first bug bounty ever! in 2017, so far I’ve found another bugs in platforms like Facebook and Nokia, but this one will always be my favorite because was the 1st one, so I got into Twitter Security Hall of Fame (2017) via Hackerone, so here we go:

Report Summary:

Hi Twitter Sec team I i’ve found that some of your smtp servers are  vulnerable to POODLE SSLv3 bug

Description and impact:

CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.

Steps To Reproduce:

One day I just was navigating in shodan and I don’t know why I thinked about the smtp servers and the bug bounties, and that made think about which companies have sslv3 activated in production environments (heartbleeed) , so I decided to try with some dorks in shodan (like “org:Twitter” “port:443” “port:25”) when suddendly some wild server appear:

I thinked WOW! sslv3 in some Twitter smtp production server,  it was just a matter of time to found more smtp servers with the sslv3 activated in the same network, once I collected the 4 smtp servers avaiables (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204), the fun began.

Extracted from the h1 report:

Hi Twitter Sec team here is the POC

1.- get a nmap installation and twitter_smtp_ssl_servers.txt file (file with mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204 hosts row by row)
2.- run this command : “nmap -sV –version-light -Pn –script ssl-poodle -p 25 -iL twitter_smtp_ssl_servers.txt | grep -B 5 VULNERABLE”
3.- And that’s it, see the results

Tools: nmap, grep, shodan.io

Is this bug public or known by third parties? No

Can I reproduce this issue every time? Yes

How did I find this bug? via shodan.

Twitter Hall of fame:

https://hackerone.com/twitter/thanks/2017

Hackerone report:

https://hackerone.com/reports/288966

well that’s it, if you have any doubt, comment or sugestion just drop me a line here or in twitter @omespino, read you later.

2 thoughts on “WRITE UP – TWITTER BUG BOUNTY [Report of my 1st bugbounty]: “POODLE SSLv3 bug on multiple twitter smtp servers”

Leave a Reply

Your email address will not be published.