Twitter Security Flaw: Hackers Could Tweet as Any User They Want
A recently discovered loophole in Twitter's security lets attackers post messages through the account of any user of the platform that they choose. The security flaw escaped notice for years until an independent security researcher disclosed the loophole to the company earlier this year.
The security researcher, who goes by an assumed name Kedrisch, later published his findings on his website where he shows how the exploit works. The bug was discovered in the Twitter Ads Studio, a platform added for advertisers that allow images, videos and other media to be uploaded to the platform.
The high-profile exploit was simple to execute, too. An attacker just needs to share a piece of media to the account of the target, and then change the HTTP post request to have the victim's account ID number, as summarized by ZDNet. No additional information about the target is needed. No passwords, email addresses or similar credentials are required in order to exploit this gaping loophole in the social media platform's advertising module.
Twitter said that the flaw was patched in just two days after Kedrisch disclosed the vulnerability to the company. The issue was declared resolved by the social media giant on Feb. 28, and it has awarded the security researcher with $7,560 as part of their bug bounty program.
A security engineer who previously worked for Twitter stated that when he saw that the flaw came from Twitter's advertising components, he was not surprised in the least. In a Twitter post, Charlie Miller implied that the ads team could have been one of the factors that caused the exploit to get into the system in the first place. "As former appsec tech lead for twitter, I'll just say I'm not shocked this was in code from the ads team," Miller posted on the social media platform.
Since his post was dated May 23, it can be reasonably assumed that this post was really by him.