A vulnerability in Twitter was just disclosed publicly that would have allowed hackers to post tweets from any account of their choosing.
While someone could have potentially had some fun, the bug was no beuno from a security standpoint.
While the actual bug would have allowed someone to post a tweet from whatever account they wanted, it didn't actually grant permission to the account.
Instead, a flaw in Twitter's Ad Studio (which advertisers use to upload media) let hackers simply tweak the code when something gets sent to Twitter to post it from a different account.
The bug was originally discovered by a security researcher on February 26, 2017, and was patched two days later, as part of Twitter's bug bounty program.
As reported by Twitter, "This bug was patched immediately after being triaged, and no evidence was found of the flaw being exploited by anyone other than the reporter."
The flaw was disclosed publicly on May 22, and was given a high severity rating (between 7 and 8.9). The security researcher, who goes by Kedrisch, published a detailed analysis of his findings in a blog post, summarized below:
- We upload our media file.
- Share this file with user, whose account we use to publish entry.
- Intercept the query for tweet publication and simply change in POST-method following data: owner_id and user_id to id twitter of a victim account (it’s quite simple to know this, as there are a lot of online services).
- We receive the message about successful attempt of tweet-publication.
- Have fun!
Kedrisch received a bug bounty of $7,560 for his findings.
