Public Twitter bug reports.

Team Bounty Title
Twitter $10,080 XXE on in SXMP Processor
Twitter $420 Open Redirect
Twitter $560 HTTP 401 response injection on "" through "image_src" parameter
Twitter $280 [██████████] .htpasswd disclosure
Twitter $560 [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME
Twitter $2,520 CSRF on Periscope Web OAuth authorization endpoint
Twitter $7,560 [URGENT] Opportunity to publish tweets on any twitters account
Twitter $7,560 Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ]
Twitter $5,040 Attacker can get vine repost user all informations even Ip address and location .
Twitter $560 Clickjacking on Chrome
Twitter - Remote Unrestricted file Creation/Deletion and Possible RCE.
Twitter $1,680 CRLF and XSS stored on
Twitter $140 Sub Domain Takeover at
Twitter - GNIP subdomain take over
Twitter $280 Vine - overwrite account associated with email via android application
Twitter $560 Twitter for android is exposing user's location to any installed android app
Twitter $1,120 [IDOR][] Opportunity to change any comment at the forum
Twitter $280 SSRF in
Twitter $2,520 Cross-site scripting (reflected)
Twitter $140 Full Path Disclosure at
Twitter $1,260 View liked twits of private account via
Twitter $560 Circumventing the Twitter account lockout process [ACCOUNT TAKEOVER]
Twitter $2,100 Twitter iOS fails to validate server certificate and sends oauth token
Twitter $560 leaking Digits OAuth authorization to third party websites
Twitter $5,040 [] See someone else pics
Twitter $560 redirects to vulnerable
Twitter $1,120 Stealing User emails by clickjacking
Twitter $1,120 csp bypass + xss
Twitter $420 Html Injection and Possible XSS in
Twitter $560 Information Disclosure through .DS_Store in ██████████
Twitter - List of a ton of internal twitter servers available on GitHub
Twitter $840 [Critical] - Steal OAuth Tokens
Twitter $700 xss in DM group name in twitter
Twitter $700 niche s3 buckets are readable/writeable/deleteable by authorized AWS users
Twitter $280 XSS using javascript:alert(8007)
Twitter $1,120 DOMXSS in Tweetdeck
Twitter $280 Sub-Domain Takeover
Twitter $2,520 Tweet Deck XSS- Persistent- Group DM name
Twitter $2,520 Bypassing Digits web authentication's host validation with HPP
Twitter $5,040 Bypassing Digits bridge origin validation
Twitter $2,520 Bypassing callback_url validation on Digits
Twitter $140 Subdomain Expired
Twitter $560 xss in link items (
Twitter $560 URGENT : Account Take Over Vulnerability
Twitter $560 Add tweet to collection CSRF
Twitter $280 Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass)
Twitter $1,120 File Upload XSS in image uploading of App in mopub
Twitter $280 Following a User After Favoriting Actually Follows Another User (related to #95243)
Twitter $1,120 Can see private tweets via keyword searches on tweetdeck
Twitter $280 CSRF on cards API
Twitter $5,040 IDOR- Activate Mopub on different organizations- steal api token-
Twitter $280 Following a User Actually Follows Another User
Twitter $280 XSS in the "Poll" Feature on
Twitter $280 Tweetdeck (twitter owned app) not revoked
Twitter $2,520 Multiple DOMXSS on Amplify Web Player
Twitter $2,520 XSS on OAuth authorize/authenticate endpoint
Twitter $280 DOM based cookie bomb
Twitter - Privecy Issue : view "Protected users" followers and following
Twitter $280 Ex-admin of an organization can delete team members
Twitter - Privacy Issue on protected tweets
Twitter $420 Insecure Direct Object Reference - access to other user/group DM's
Twitter $2,800 HTTP Response Splitting (CRLF injection) due to headers overflow
Twitter $1,400 XSS in
Twitter $420 Insecure direct object reference - have access to deleted DM's
Twitter $3,500 HTTP Response Splitting (CRLF injection) in report_story
Twitter $560 open redirect sends authenticity_token to any website or (ip address)
Twitter $1,400 XSS in original referrer after follow
Twitter $560 Twitter Ads Campaign information disclosure through admin without any authentication.
Twitter $1,400 Open Redirect leak of authenticity_token lead to full account take over.
Twitter - Cross site Port Scanning bug in twitter developers console
Twitter $1,400 Redirect URL in /intent/ functionality is not properly escaped
Twitter $140 Reporting user's profile by using another people's ID
Twitter $560 Twitter Card - Parent Window Redirection
Twitter $1,260 Problem with OAuth
Twitter $140 Insecure Data Storage in Vine Android App
Twitter $140 Flaw in login with twitter to steal Oauth tokens
Twitter - Path disclosure in
Twitter $420 twitter android app Fragment Injection
Twitter $1,120 - an app admin can delete team members from other user apps
Twitter $1,400 - app member can make himself an admin
Twitter - Account Deleted without any confirmation
Twitter - No rate limiting on creating lists
Twitter $420 URGENT - Subdomain Takeover on , the same issue of report #32825
Twitter $1,400 HTML/XSS rendered in Android App of Crashlytics through
Twitter $140 POODLE Bug:,,
Twitter $280 Open redirection in
Twitter - Abuse of "Remember Me" functionality.
Twitter - Homograph attack.
Twitter $1,400 [Stored XSS] - profile page
Twitter - Notifications can mark as read by CSRF
Twitter - Headers Missing
Twitter $140 getting emails of users/removing them from victims account [using typical attack]
Twitter $280 XSS via Fabrico Account Name
Twitter $420 Bad extended ascii handling in HTTP 301 redirects of
Twitter - Options Method Enabled
Twitter - Option Method Enabled on web server
Twitter - Flaw in valid password policy.
Twitter $1,400 DOM Cross-Site Scripting ( XSS )
Twitter $1,680 URGENT - Subdomain Takeover on due to unclaimed domain pointing to AWS
Twitter $280 XSS in
Twitter $140 Singup Page HTML Injection Vulnerability
Twitter - Creating Unauthorized Audience Lists
Twitter $420 Unauthorized Tweeting on behalf of Account Owners
Twitter $560 Improper Verification of email address while saving Account Settings
Twitter $280 Profile Pic padding (Length-hiding) fails due to use of GZIP
Twitter $1,120 XSS | video-js metadata
Twitter $1,120 XSS
Twitter - Twitter Flight SSL 2.0 deprecated protocol vulnerability.
Twitter $420 iOS App can establish Facetime calls without user's permission
Twitter $1,400 Cross site scripting on
Twitter $1,400 Stored xss
Twitter $1,400 xss
Twitter $2,800 Delete Credit Cards from any Twitter Account in [New Vulnerability]
Twitter $140 Missing Rate Limiting on
Twitter $140 Full path disclosure at
Twitter - HTML form without CSRF protection at
Twitter - User's DM won't deleted after logout from Twitter for iOS (
Twitter - Broken authentication and invalidated email address leads to account takeover
Twitter - Password reset link not validated.
Twitter - password sent over HTTP
Twitter - Cookie not marked as secure.
Twitter - XSS vulnerability in video player page
Twitter - Captcha bypass with extension at
Twitter - [ /] CSRF protection bypass
Twitter - and are vulnerable to CRIME attack
Twitter - Token remains alive ever after logging out!
Twitter - CSRF in