Twitter account falling into the hands of a hacker spells extreme trouble. And if it is anyone’s user account that they can access then it sounds even more troubling, right? A similar vulnerability, which allowed hackers to tweet from anyone’s Twitter handle as and when they wanted to, was discovered in the micro-blogging platform’s Ad Studio platform.
The vulnerability, reported initially by Motherboard, was discovered by a security researcher who goes by the moniker Kedrisch. It is one of the long-standing bugs and had plagued the platform until 28th February earlier this year. This was initially spotted in the micro-blogging platform’s ad network back in the month, reported via the Bug Bounty program, and fixed within a couple days.
In their official blog post, Kedrisch stated,
I found the vulnerability which allowed hackers to publish entries in Twitter-network by any user of this service, meanwhile without having the access to the account of a victim.
As for how one can execute the said process, when the bug wasn’t patched, anyone could navigate to its ads platform — Twitter Ads Studio and try to upload any media/content. Once you upload something, you’re redirected to the service library where the review process for the media happens before publishing. This is where the high-severity vulnerability appeared and has been described by the micro-blogging platform underneath.
In its official summary on HackerOne, Twitter mentions that the hacker only needed to change the code sent back to Twitter when you’re tweeting something on your profile. You could skip the process of hacking someone’s account and simply enter the handle of person whose account you want to tweet from. In more technological linguistics, this has been described as under:
By sharing media with a victim user and then modifying the post request with the victim’s account ID the media in question would be posted from the victim’s account.
Kedrisch had been scouting the platform for bugs for quite some time and stumbled upon this one towards the end on February. It was easily exploitable and could handover access to anyone’s account to anyone, which was a grave miscarriage of user privacy. The vulnerability was fixed within three days and the security researcher was awarded a bounty of $7,560. This isn’t particularly the highest bug bounty awarded by the micro-blogging platform but is surely one of the hefty ones.
