Published On: 07 Feb 2025
Unauthorized Access to User Profiles and Data Without Login
Other
Twitter | Web
---
LOW INFORMATIVEAttempting to access X accounts without being logged in, users are prompted to log in before viewing profiles. However, by following specific steps, it is possible to access these profiles without logging in, indicating a potential security issue.
Description
When accessing a user’s profile (e.g., x.com/userexample) without being logged in, the profile briefly loads before the login prompt appears, blocking further access. During this brief moment, actions such as downloading the profile picture are possible. This indicates a potential issue with session handling or authentication flow, allowing unauthorized users to momentarily view and interact with profiles.
Impact
This issue lets unauthorized users view profiles and download pictures, bypassing access controls. It exposes sensitive data, weakens authentication, and creates significant security and privacy risks.
Reproduction Steps
Step
1
Access the user profile URL (e.g., x.com/userexample) without being logged in (Do not choose an account like x.com/elonmusk which is accessible without being logged in).
Step
2
Use a tool (I used Burp Suite) to intercept the HTTP requests.
Step
3
Step
4
Step
5
Step
6
Step
7
Unauthorized Access to User Profiles and Data Without Login
This issue lets unauthorized users view profiles and download pictures, bypassing access controls that twitter implemented on non logged in users.