X Refuses to Pay Bug Bounty On Critical Vulnerability, Kicks Out Whitehat Instead

Friday, December 15, 2023, 03:42:00 PM

X is broke and broken, everyone seems to already know that. But is it broke because it’s broken, or broken because it’s broke? It seems the platform, under the helm of owner Elon Musk, just can’t keep itself from making bigger problems. Now, it’s refusing to pay whitehats in its bug bounty program.

One such whitehat is X user @rabbit_2333, who found an XSS vulnerability in the platform’s analytics subdomain that can basically let hackers take over any account. @rabbit_2333 claims that he reported the massive vulnerability but X dismissed the report, saying they’d known about it for a year and were already addressing it, adding it “decided that this report is not eligible for a bounty.”

This was when @rabbit_2333 decided that if X can shrug this bug report off, then he (or she) can break protocol and make the discovery public.

I submitted this bug report and didn't receive a bounty. You told me that this bug has existed for a year. Seeing that you haven't fixed it for so long, it seems that this bug is not important, so I made it public. pic.twitter.com/R9X4k8KqMZ
— rabbit (@rabbit_2333) December 12, 2023

Also, if X had known about it for a year and haven’t fixed it, then it must be not that big of a deal, right? After @rabbit_2333 posted about the vulnerability and it went around developer circles, Chaofan Shou, co-founder of the smart contract analysis platform Fuzz.Land, posted a demo of just how potentially critical the bug is.

😝 Here is the full disclosure of the Twitter XSS + CSRF vulnerability.

Clicking a crafted link or going to some crafted web pages would allow attackers to take over your account (posting, liking, updating your profile, deleting your account, etc.) pic.twitter.com/MVJ1MvHt6H
— Chaofan Shou (@shoucccc) December 13, 2023

Shortly after, X patched the vulnerability … and kicked @rabbit_2333 from their bug bounty program for violating the HackerOne code of conduct for posting about the vulnerability.

Thank you twitter pic.twitter.com/vQiNx8i8at
— rabbit (@rabbit_2333) December 13, 2023

Bug bounty programs are a way for companies and developers to reward ethical hackers or whitehats for successfully discovering and reporting bugs or vulnerabilities. It lets companies, like X, privately engage the hacker community to, well, get the bugs out, and improve the security of their systems.

So if, especially at their stripped-down state with fewer developers, they’re no longer compensating ethical hackers — even for something as critical as the vulnerability that @rabit_2333 spotted — just imagine what else could go wrong.

But yeah, Musk thinks advertisers leaving is Media Matters’ and the mainstream media’s fault.

today elon learned why bug bounty programs are importanthttps://t.co/zgqQkN0EhZ pic.twitter.com/7heTiTzg84
— Molly White (@molly0xFFF) December 14, 2023

Information for this story was found via X, and the sources and companies mentioned. The author has no securities or affiliations related to the organizations discussed. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.