Ability to see hidden likes privacy vulnerability on Twitter
Posted: Thu Oct 31, 2024 5:48 am
X Premium users could hide their Likes timeline in their profile. However, an authenticated user could locate an X Premium user’s hidden likes by making an HTTP GET request to the /i/api/graphql/lVf2NuhLoYVrpN4nO7uw0Q/Likes API endpoint, specifying the target user’s twitter_id within the userId value (e.g. i/api/graphql/lVf2NuhLoYVrpN4nO7uw0Q/Likes?variables=%7B%22userId%22%3A%22[Target_User_ID]%22). Once the GET request was made, the application would respond with the target user’s hidden “Likes” in JSON format.
https://hackerone.com/reports/2140960
https://hackerone.com/reports/2140960