Twitter flaw allowed you to tweet from any account

All this time, a rather simple Twitter bug could have caused chaos on the platform.
Written by Charlie Osborne, Contributing Writer
Getty Images

A Twitter security flaw which went undetected for years allowed attackers to post messages masquerading as any user they chose.

A security researcher that goes under the moniker Kedrisch disclosed the flaw on Tuesday, which was present on the microblogging platform until 28 February this year.

Discovered in Twitter Ads Studio, a platform for advertisers to upload media and content, the high-severity bug appeared in the service library where users can review media before publishing.

When handling media and tweet publishing requests, by sharing this media with an intended victim and then modifying the post request with the victim's account ID, the media in question would be automatically posted from the victim's account rather than the attacker's.

As only the parameters of the code needed to be tweaked, there was no need to have any account credentials belonging to the victim to exploit the vulnerability.

The bug was submitted as part of Twitter's bug bounty program, hosted on HackerOne. Twitter moved rapidly and patched the flaw in only two days, resolving the issue on 28 February.

The security researcher was awarded $7,560 for his efforts.

See also: Twitter password recovery bug exposes data of 10,000 users

Between 2014 and 2016, Twitter awarded researchers over $322,000 for submitting over 5,000 vulnerabilities including XSS flaws, HTTP response problems and a variety of less severe bugs.

Cybersecurity reads for every hacker's bookshelf

Editorial standards