Full Report
The author of this post received an unprovoked gifted premium subscription to X/Twitter. Since moving to a paid subscription model, we all know that the requirements for "verified" have dropped drastically. In many places, Twitter says an account must have a confirmed phone number and agree to the Terms of Service to become a Twitter Premium member. The gifted subscription route should theoretically go through the same requirements as the regular route. The author of this post's account does NOT have a phone number linked or confirmed on their account. In fact, they haven't even confirmed their email address was 2012! They tested this with several friends and were able to replicate the issue. Why does any of this matter? Privacy and transparency! This feature was rolled out in 2024, a few months before that year's election. Many of the political accounts that were "based in the US" were recently outed as being elsewhere as "fake news" because of the country indicator that was rolled out. If we take people's identities on Twitter seriously (I am the president of the United States), then this is a lapse in Twitter's security. Good post!
Analysis Summary
# Vulnerability: X (Twitter) Premium Verification Bypass via Gift Subscriptions
## CVE Details
- **CVE ID:** N/A (Business Logic Flaw / Policy Bypass)
- **CVSS Score:** 4.3 (Medium - estimated)
- **CVSS Vector:** AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- **CWE:** CWE-290: Authentication Bypass by Spoofing; CWE-841: Improper Enforcement of Behavioral Workflow
## Affected Systems
- **Products:** X (formerly Twitter) social media platform.
- **Versions:** Production environment as of late 2024–2025.
- **Configurations:** Accounts receiving "Gifted" Premium subscriptions.
## Vulnerability Description
A business logic flaw exists in the X Premium subscription workflow where "Gifted" subscriptions bypass the mandatory identity verification checks required for standard individual sign-ups.
Under normal circumstances, X Premium requires a confirmed phone number and adherence to specific eligibility criteria (e.g., account age, active status). However, when a third party gifts a subscription to another user, the platform automatically applies the "Verified" blue checkmark and Premium status to the recipient account without requiring the recipient to provide a phone number, confirm their email, or manually accept the Terms of Service. This effectively allows an unverified account to gain the appearance of a verified identity through a third-party payment.
## Exploitation
- **Status:** PoC confirmed / Exploited in the wild (reported behavior).
- **Complexity:** Low.
- **Attack Vector:** Network. An external actor only needs the recipient's handle and a form of payment to trigger the bypass.
## Impact
- **Confidentiality:** None.
- **Integrity:** Medium. The integrity of the "Verified" badge system is compromised, allowing potentially anonymous or bot-driven accounts to appear legitimate and gain algorithmic boosts.
- **Availability:** None (though recipient accounts may be "locked" into the subscription without an easy path to cancel).
## Remediation
### Patches
- **Vendor Action Required:** No client-side patch is available. X/Twitter must update their backend logic to hold gifted subscriptions in a "Pending" state until the recipient completes the verification workflow (phone SMS verification and TOS acceptance).
### Workarounds
- **User Side:** Currently, there is no technical setting to "Refuse All Gifts." Users must contact X Support to request manual removal, though reports indicate low success rates in processing these cancellations.
## Detection
- **Indicators of Compromise:** Accounts possessing a "Verified" blue checkmark despite lacking a linked/confirmed phone number or verified email address.
- **Detection Methods:** Analysis of account metadata via Subject Access Requests (SAR) can confirm if a phone number exists on the backend. Discrepancies between "Verified" status and account age/completeness may indicate exploitation of this bypass.
## References
- **Original Article:** hxxps://medium[.]com/@ItsNotNicole/twitter-x-premium-account-verification-bypass-vector-of-sorts-gift-subscriptions-10487844f976
- **X Policy Documentation:** hxxps://help[.]twitter[.]com/en/using-x/x-premium
- **Researcher Profile:** hxxps://x[.]com/Alph4betSoup