Broken link hijacking of social media account

Hi Hunters, this is my first blog. I am going to share a vulnerability Which I found very recently. The issue I found was in a Karnataka Government website. Therefore, I cannot disclose the website name so I will mention it as Target.com

I was able to takeover the Twitter page of the Karnataka Government using a technique called Broken Link Hijacking.

However, I found the vulnerability in my Target.com without the need of any tool. When I visited my target homepage I saw some Social Media Links and the first thing I did was “Open in New Tab”. All the other Social media pages were actively working fine except for the Twitter. It showed “This account doesn’t exist”.

simply I created a new account on twitter with username ‘YourTarget_Account_Name’, it was successfully created and I was able to take over the government site Twitter Page.

Impact

Attack can post bad content in the name of the company. As the Page is linked in the website, a legitimate user when clicks, will be redirected to attacker controller account