Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Twitter Bug Could Have Allowed Attackers to Post Under Any Account

CrAKeN

By CrAKeN
in Security & Privacy News

Recommended Posts

CrAKeN

CrAKeN

Posted
Posted

twitter-bug-could-have-allowed-attackers

 

A severe Twitter bug was killed after HackerOne report

 

A vulnerability that was patched earlier this year could have allowed an attacker to send tweets as any user on the platform. 

 

The discovery was made by a bug hunter tweeting under the handle Kedrisec, who reported the issue over HackerOne, the bug bounty platform. He filed the report in February, receiving a $7,650 bounty for his troubles. The details of the flaw were made public earlier this month, but the actual HackerOne ticket was only released at the beginning of this week, long after Twitter fixed the problem.

 

According to Kedrisec, the vulnerabilities is related to Twitter's ad platform. Ads.twitter.com is a self-service platform that allows companies to promote tweets, accounts and so on, as well as to monitor ad campaigns.

 

A difficult task


The researcher managed to intercept a request and change two parameters, namely owner_id and user_id, which allowed him to tweet as a different user.

 

At first there were quite a few error messages, but eventually managed to get through. The vulnerability relied on an attacker uploading a media file into tweets they wanted to send. Things were a bit more complicated than that, however, as an attacker also needed the filename associated with the image, which is something that can be difficult to determine.

 

"It's needed to know media_key of this file and it's almost impossible to reveal it by the means of brute force, as it contains 18 digits. In my exploration, I didn't find 100% way to know this media_key. There were always some restrictions and circumstances which allow to get that media_key," Kedrisch explains.

 

Then, Kedrisch discovered that by uploading an image file and sharing it with a user, which Twitter Ads allows, the same attack could be carried without needing that 18-digit code. The post request that's sent to Twitter could be intercepted and the Twitter handle could be swapped.

 

According to the report, Twitter marked this vulnerability as "high severity".

 

The bug was patched immediately after being filed and the company said they've found no evidence of it being exploited by anyone other than the researcher.

 

Source

Link to comment
Share on other sites
  • Views 400
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...