Twitter Security Flaw: Exploit Allowed Hacker To Post From Any Account, Went Unnoticed For Years

A major security flaw on Twitter allowed attackers to post messages from any account on the platform, a security researcher revealed.

The exploit went unnoticed for years until a security researcher who goes by Kedrisch disclosed the flaw to the social network company earlier this year. The issue has since been patched and users are no longer at risk of having their accounts hijacked by an attacker exploiting that flaw.

Read: 32 Million Twitter Accounts Including Passwords Being Traded On Dark Web For 10 Bitcoins

The issue stemmed from Twitter Ads Studio, the company’s platform for advertisers that allowed businesses to upload media and content to share on the site. The flaw was found in the service library where users could review media before publishing.

During the portion of the publishing process in Twitter Ads Studio that handled media and tweet publishing requests, an attacker could share the media with a victim, then change the post request with the victim’s account ID. Doing so would automatically publish the post from the victim’s account.

The process could be completed without any account credentials from the victim — it just required tweaking the code within Twitter Ads Studio. The attacker didn’t need to compromise the victim’s account. Twitter Ads Studio would simply allow the content to be posted as if it were from the victim.

According to Twitter, the flaw was patched immediately after it was disclosed and there is zero evidence the bug ever was exploited by an attacker.

Read: FBI Forced Twitter To Share User Data Without Legal Warrant, Company Reveals As Gag Orders Lifted

A former Twitter security engineer told eSecurity Planet he was not surprised by the discovery of a flaw on the Twitter advertising platform. "As former appsec tech lead for Twitter, I'll just say I'm not shocked this was in code from the ads team," he told the publication.

Kedrisch first disclosed the bug to Twitter on Feb. 26 and the company fixed the vulnerability by Feb. 28. The flaw was submitted via Twitter’s bug bounty program, in which it pays people for discovering and disclosing security flaws. The security researcher was awarded $7,560 for disclosing the bug.

It is not the first time Kedrisch has been responsible for reporting security flaws to Twitter. The security researcher previously disclosed a bug in the Twitter translate forum that could have allowed an attacker to change user’s comments, and reported a flaw that would have allowed an attacker to like tweets sent by a private account.

Kedrisch has also reported three other flaws that have not been publicly disclosed. He earned just short of $4,000 for all of his previous disclosures.

Twitter paid out more than $322,000 to security researchers between 2014 and 2016 through its bug bounty program hosted by HackerOne. Those funds were awarded to users who submitted more than 5,000 vulnerabilities discovered on the platform.