{“lastseen”:”2026-05-09T15:27:59″,”description”:”Hello again i discovered that there is another Liberapay profile of Liberapay team member at liberapay.com\/mdvhimself contains a link to an expired Twitter account, creating a Broken Link Hijacking (BLH) vulnerability. An attacker could register the expired handle and control what appears to be an officially linked social media account.\\nOn the donation page at https:\/\/liberapay.com\/mdvhimself\/donate, Liberapay displays a \\”Recipient Identity\\” section stating: \\”We have confirmed through an automated verification process that mdvhimself has control of the following accounts on other platforms:\\” – including the expired Twitter account. This falsely confirms to donors that the account is legitimate and verified.\\n\\nNote: mdvhimself is a Liberapay team member (developer\/translator\/community manager). This account should not be claimed by security researchers as it would directly impersonate an official team member.\\n\\n## Impact\\n\\nDescribe impact here.An attacker who claims the expired Twitter account could leverage the perceived legitimacy from the Liberapay profile link to conduct social engineering attacks, scam users, impersonate the profile owner, or spread misinformation. Users who trust the link from the official Liberapay website may be deceived into believing the attacker-controlled account is legitimate, potentially leading to financial fraud or reputation damage.\\nThe impact is particularly severe because mdvhimself is identified as a Liberapay team member (developers, translators, community managers who work on the platform). An attacker impersonating an official team member could exploit the heightened trust users place in Liberapay staff to conduct more sophisticated scams, request donations fraudulently, or damage the reputation of both the individual team member and the Liberapay platform itself.\\nThe risk is amplified by the fact that the donation page displays a \\”Recipient Identity\\” verification message that explicitly confirms the linked accounts belong to mdvhimself. This creates a false assurance to donors that the expired Twitter account is legitimate and verified, making them highly susceptible to scams if an attacker claims the account and uses it to contact donors or solicit additional payments outside the platform.\\n\\n## Steps to Reproduce:\\n\\n1. Go to https:\/\/liberapay.com\/Liberapay\/\\n2. Search for the mdvhimself account in the members section\\n3. Access the mdvhimself account at https:\/\/liberapay.com\/mdvhimself\\n4. Locate the Linked Accounts section\\n5. Click on the Twitter link https:\/\/x.com\/mdvhimself\\n6. In the normal case, you will find that it’s a broken link that can be hijacked \\n{F5884327}\\n7. For proof of concept purposes, I have hijacked the link to demonstrate what someone with malicious intent could do, such as spamming or posting illegal content on the account \\n{F5884331}”,”published”:”2026-05-09T13:45:10″,”modified”:”2026-05-09T14:49:09″,”type”:”hackerone”,”title”:”Liberapay: another liberapay member team twitter account broken Link Hijacking via Expired Twitter Account Link”,”source”:””,”references”:””,”id”:”H1:3723002″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3723002″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-09T15:27:59″,”description”:”Hello again i discovered that there is another Liberapay profile of Liberapay team member at liberapay.com\/mdvhimself contains a link to an expired Twitter account, creating…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-52724","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n