Once again an independent researcher found a way to take control of Twitter accounts to tweet and upload media.
Researcher Anand Prakash spotted an insecure direct object reference vulnerability in Twitter's code, which could have been exploited allowing someone to tweet from another account, upload videos on behalf of other users, delete pics/videos from victim's tweets, view private media uploaded by other twitter accounts, according to a May 28 blog post.
Prakash was probing the Twitter Studio feature for security bugs where he discovered “all API request on studio.twitter.com were sending a parameter named "owner_id" which was twitter user id (publicly available and sequential) of the logged in user,” the post said. “Owner_id parameter was missing authorisation checks changing which allowed me to take actions on behalf of other twitter users.”
The researcher released proof of concept videos to demonstrate how the vulnerability could leak private media and how an attacker could delete media from the victim's accounts. Prakash said he reported his finding to Twitter in August 29, 2016 and received a $5,049 bug bounty.
