For more than a year, all it would take is clicking on a maliciously crafted link on Twitter and your account could have been taken over and used to tweet, retweet, like, or block other users. The vulnerability was disclosed publicly on Wednesday, leading to a quick fix—and a scolding for the user who disclosed it.

Instead of earning a monetary reward from Twitter’s bug bounty program, the company banned the user from participating.


The disclosure was made by pseudonymous Twitter user @rabbit_2333, who shared how an XSS vulnerability on Twitter's analytics subdomain could be leveraged to give an attacker access to a third party’s profile and the ability to do almost everything except changing the account’s password.

The hack made use of cross-site scripting (XSS) and cross-site request forgery (CSRF). XSS attacks allow malicious actors to inject harmful scripts into web pages, while CSRF tricks users into executing actions on a web app where they’re already authenticated.

The Twitter bug utilized both these methods, making it especially dangerous. By exploiting XSS, attackers could bypass web security measures and gain unauthorized access to user accounts.

As news of this vulnerability spread, Chaofan Shou, cofounder of the smart contract analysis platform Fuzz.Land, stepped in to provide more details. He revealed how easy it was to build a powerful exploit tool based on this unaddressed vulnerability, and provided a detailed explanation of how the bug worked and the potential damages it could cause.


Shou’s write up was followed by comments from cybersecurity researcher Sam Sun, who provided practical advice on how to avoid the exploit, highlighting the lack of safety even for those using Twitter on their phones via browsers.

Sun noted that the privacy-centric web browser Brave would have prevented the exploit from working.

The response from the X team was swift following this public disclosure. Within hours, they had patched the vulnerability, as confirmed by Sun. Despite the potential severity of the flaw, however, @rabbit_2333 was not rewarded for the discovery. Instead, they were notified that they were banished from the bug bounty program.

“Thank you Twitter,” the user wrote, with screenshots of Twitter’s ban notification.

As comments flooded in about whether @rabbit_2333 should have posted about the bug or not, the user claimed that they did follow proper protocol at first. It was only when X dismissed the severity and its eligibility for a bounty that they went public, the user said.

The purpose of bug bounty programs is to prevent incidents like this one, incentivising developers to discover security holes with rewards and an agreement not to disclose them while the company fixes things.


Bug bounty programs are common in software development, as well as in cryptocurrency, particularly when dealing with smart contracts. While running such programs can be challenging, the prevention of a security breach is typically seen as worth the effort.

White-hat and bug-bounty incentive programs typically require vulnerabilities to be kept confidential. But they also often have expiration dates, to ensure the software developer acts in a timely manner.

Edited by Ryan Ozawa.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.