A researcher going by the moniker Kedrisch spotted a Twitter vulnerability which would have allowed a user to post tweets from any user’s account.
The flaw was in the handling of Twitter Ads Studio requests which allowed an attacker to tweet as any user by sharing media with a victim user and then modifying the post request with the victim’s account ID of the media in question, according to the HackerOne disclosure.
Kedrisch was able to exploit the bug by uploading the media file, sharing the file with the user who’s account they wanted to compromise, intercepting the query for tweet publication and changing the in POST-method following data: owner_id and user_id to the twitter id of the victim account.
Although the bug was publicly disclosed May 22, Kedrisch spotted the flaw on February 26, 2017 and promptly notified Twitter via the bug bounty program. The social media company patched the flaw on February 28, 2017 and awarded the researcher a $7,560 bounty.