The bug was fixed immediately after the report was received

May 24, 2017 21:53 GMT  ·  By

A vulnerability that was patched earlier this year could have allowed an attacker to send tweets as any user on the platform. 

The discovery was made by a bug hunter tweeting under the handle Kedrisec, who reported the issue over HackerOne, the bug bounty platform. He filed the report in February, receiving a $7,650 bounty for his troubles. The details of the flaw were made public earlier this month, but the actual HackerOne ticket was only released at the beginning of this week, long after Twitter fixed the problem.

According to Kedrisec, the vulnerability is related to Twitter's ad platform. Ads.twitter.com is a self-service platform that allows companies to promote tweets, accounts and so on, as well as to monitor ad campaigns.

A difficult task

The researcher managed to intercept a request and change two parameters, namely owner_id and user_id, which allowed him to tweet as a different user.

At first, there were quite a few error messages, but eventually managed to get through. The vulnerability relied on an attacker uploading a media file into tweets they wanted to send. Things were a bit more complicated than that, however, as an attacker also needed the filename associated with the image, which is something that can be difficult to determine.

"It's needed to know media_key of this file and it's almost impossible to reveal it by the means of brute force, as it contains 18 digits. In my exploration, I didn't find 100% way to know this media_key. There were always some restrictions and circumstances which allow to get that media_key," Kedrisch explains.

Then, Kedrisch discovered that by uploading an image file and sharing it with a user, which Twitter Ads allows, the same attack could be carried without needing that 18-digit code. The post request that's sent to Twitter could be intercepted and the Twitter handle could be swapped.

According to the report, Twitter marked this vulnerability as "high severity."

The bug was patched immediately after being filed and the company said they've found no evidence of it being exploited by anyone other than the researcher.