The Twitter bug that let you post from another account!
25th May 2017

Share on Facebook0Share on Google+0Pin on Pinterest0Tweet about this on TwitterBuffer this pageEmail this to someone

Well here’s something we didn’t expect to arrive in the mailbox this morning – a security flaw within Twitter’s Ad Studio.

One eagle-eyed researcher discovered that it was entirely possible to post to Twitter using somebody else’s account. Without having to know their login credentials, may I add.

Sounds crazy doesn’t it, but with a simple bit of manipulation it was indeed perfectly possible.

How it could be achieved

Twitter’s advertising platform is a great way for businesses to publish content to Twitter that employs a fairly straight-forward workflow.

Once you have your assets in place you can review them within the Service Center.

Here’s the detail from zdnet:

When handling media and tweet publishing requests, by sharing this media with an intended victim and then modifying the post request with the victim’s account ID, the media in question would be automatically posted from the victim’s account rather than the attacker’s.

As only the parameters of the code needed to be tweaked, there was no need to have any account credentials belonging to the victim to exploit the vulnerability.

Nasty!

The exploitation was discovered by a security researcher who adopts the moniker Kedrisch. The details of his discovery can be found on his website at kedrisec.com.

Twitter naturally moved swiftly to resolve the issue as the patch was deployed 28th February 2017. Kedrisec received $7,560 for his efforts. Not bad for a day’s work, that!

Share on Facebook0Share on Google+0Pin on Pinterest0Tweet about this on TwitterBuffer this pageEmail this to someone

Technology wizard and keen PC gamer. Prefers not to associate himself with "console peasants" if he can help it.


You may be interested in: