Recently, Twitter patched a high-severity data security flaw that allowed an attacker to post a tweet from any account of their choosing, pretending to be the owner of said account.
According to Kedrisch, a data security researcher, the flaw was present on the platform for quite some time, up until February 28th this year. Kedrisch disclosed the flaw on Tuesday.
Initially, the bug was discovered in Twitter Ads Studio, a platform that allows advertisers to upload media and content, in the service library, where users are given a chance to review the media before it is published.
This is how the exploit used to work: the first step was to pick a victim, share the media with that person, then all the attacker had to do was to modify the post request with the victim’s account ID. Rather than being posted from the attacker’s account, the tweet would appear to be posted from the victim.
Worse yet, in order to get this to work, an attacker had no need to obtain the victim’s login credentials, and only parameters of the code needed to be tweaked.
The bug was submitted on HackerOne as part of Twitter’s bug bounty program, with the security researcher being awarded $7.560 for his efforts. After learning of the bug, Twitter took rapid measures to fix it, resolving the issue in two days.
During 2014 and 2016, Twitter awarded researchers in excess of $322,000 for submitting over 5,000 vulnerabilities. This includes HTTP response problems, XSS flaws, and other, less severe types of bugs.