Well here’s something we didn’t expect to arrive in the mailbox this morning – a security flaw within Twitter’s Ad Studio.
One eagle-eyed researcher discovered that it was entirely possible to post to Twitter using somebody else’s account. Without having to know their login credentials, may I add.
Sounds crazy doesn’t it, but with a simple bit of manipulation it was indeed perfectly possible.
How it could be achieved
Twitter’s advertising platform is a great way for businesses to publish content to Twitter that employs a fairly straight-forward workflow.
Once you have your assets in place you can review them within the Service Center.
Here’s the detail from zdnet:
When handling media and tweet publishing requests, by sharing this media with an intended victim and then modifying the post request with the victim’s account ID, the media in question would be automatically posted from the victim’s account rather than the attacker’s.
As only the parameters of the code needed to be tweaked, there was no need to have any account credentials belonging to the victim to exploit the vulnerability.
The exploitation was discovered by a security researcher who adopts the moniker Kedrisch. The details of his discovery can be found on his website at kedrisec.com.
Twitter naturally moved swiftly to resolve the issue as the patch was deployed 28th February 2017. Kedrisec received $7,560 for his efforts. Not bad for a day’s work, that!