When handling media and tweet publishing requests, by sharing this media with an intended victim and then modifying the post request with the victim's account ID, the media in question would be automatically posted from the victim's account rather than the attacker's.
As only the parameters of the code needed to be tweaked, there was no need to have any account credentials belonging to the victim to exploit the vulnerability.
The bug was submitted as part of Twitter's bug bounty program, hosted on HackerOne. Twitter moved rapidly and patched the flaw in only two days, resolving the issue on 28 February.
The security researcher was awarded $7,560 for his efforts.