WRITE UP – TWITTER BUG BOUNTY [Report of my 1st bugbounty]: “POODLE SSLv3 bug on multiple twitter smtp servers”


Introduction:
Hi everyone, this is very special to me, is the report for my first bug bounty ever! in 2017, so far I’ve found another bugs in platforms like Facebook and Nokia, but this one will always be my favorite because was the 1st one, so I got into Twitter Security Hall of Fame (2017) via Hackerone, so here we go:

This blogpost appeared first in the book Bug Bounty Write Ups Collection

Report Summary:

Hi Twitter Sec team I’ve found that some of your SMTP servers are  vulnerable to the POODLE SSLv3 bug

Description and impact:

CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding oracle attack, aka the “POODLE” issue.

Steps To Reproduce:

One day I just was navigating in shodan and I don’t know why I thinked about the smtp servers and the bug bounties, and that made think about which companies have sslv3 activated in production environments (heartbleeed) , so I decided to try with some dorks in shodan (like “org:Twitter” “port:443” “port:25”) when suddendly some wild server appear:

I thought WOW! sslv3 in some Twitter SMTP production server,  it was just a matter of time to found more SMTP servers with the sslv3 activated in the same network, once I collected the 4 SMTP servers available (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204), the fun began.

Extracted from the h1 report:

Hi Twitter Sec team here is the POC

1.- get a nmap installation and twitter_smtp_ssl_servers.txt file (file with mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204 hosts row by row)
2.- run this command : “nmap -sV –version-light -Pn –script ssl-poodle -p 25 -iL twitter_smtp_ssl_servers.txt | grep -B 5 VULNERABLE”
3.- And that’s it, see the results

Tools: nmap, grep, shodan.io

Is this bug public or known by third parties? No

Can I reproduce this issue every time? Yes

How did I find this bug? via shodan.

Twitter Hall of fame:

https://hackerone.com/twitter/thanks/2017

Hackerone report:

https://hackerone.com/reports/288966

well, that’s it, if you have any doubt, comments or suggestions just drop me a line here or on Twitter @omespino, read you later.

3 thoughts on “WRITE UP – TWITTER BUG BOUNTY [Report of my 1st bugbounty]: “POODLE SSLv3 bug on multiple twitter smtp servers”

  1. Hi Omespino,

    I am trying to use the same dork for Twitter and as well as for other targets, but not getting results.
    I am getting “No results Found”

Leave a Reply

Your email address will not be published.