Liberapay member team twitter account broken Link Hijacking via Expired Twitter Account Link

The Liberapay profile of Liberapay team member at liberapay.com/martindelille contains a link to an expired Twitter account, creating a Broken Link Hijacking (BLH) vulnerability. An attacker could register the expired handle and control what appears to be an officially linked social media account. On the donation page at https://liberapay.com/martindelille/donate, Liberapay displays a "Recipient Identity" section stating: "We have confirmed through an automated verification process that martindelille has control of the following accounts on other platforms:" - including the expired Twitter account. This falsely confirms to donors that the account is legitimate and verified. {F5879780} Note: martindelille is a Liberapay team member (developer/translator/community manager). This account should not be claimed by security researchers as it would directly impersonate an official team member. ## Steps to Reproduce: 1. Go to https://liberapay.com/Liberapay/ 2. Search for the martindelille account in the members section 3. Access the martindelille account at https://liberapay.com/martindelille 4. Locate the Linked Accounts section 5. Click on the Twitter link https://x.com/martinodelilo 6. In the normal case, you will find that it's a broken link that can be hijacked {F5879811} 7. For proof of concept purposes, I have hijacked the link to demonstrate what someone with malicious intent could do, such as spamming or posting illegal content on the account {F5879815} ## Impact An attacker who claims the expired Twitter account could leverage the perceived legitimacy from the Liberapay profile link to conduct social engineering attacks, scam users, impersonate the profile owner, or spread misinformation. Users who trust the link from the official Liberapay website may be deceived into believing the attacker-controlled account is legitimate, potentially leading to financial fraud or reputation damage. The impact is particularly severe because martindelille is identified as a Liberapay team member (developers, translators, community managers who work on the platform). An attacker impersonating an official team member could exploit the heightened trust users place in Liberapay staff to conduct more sophisticated scams, request donations fraudulently, or damage the reputation of both the individual team member and the Liberapay platform itself. The risk is amplified by the fact that the donation page displays a "Recipient Identity" verification message that explicitly confirms the linked accounts belong to martindelille. This creates a false assurance to donors that the expired Twitter account is legitimate and verified, making them highly susceptible to scams if an attacker claims the account and uses it to contact donors or solicit additional payments outside the platform.