A Twitter security flaw which went undetected for years allowed attackers to post messages masquerading as any user they chose.
A security researcher that goes under the moniker Kedrisch disclosed the flaw on Tuesday, which was present on the microblogging platform until 28 February this year.
Discovered in Twitter Ads Studio, a platform for advertisers to upload media and content, the high-severity bug appeared in the service library where users can review media before publishing.
When handling media and tweet publishing requests, by sharing this media with an intended victim and then modifying the post request with the victim’s account ID, the media in question would be automatically posted from the victim’s account rather than the attacker’s.
As only the parameters of the code needed to be tweaked, there was no need to have any account credentials belonging to the victim to exploit the vulnerability.
The bug was submitted as part of Twitter’s bug bounty program, hosted on HackerOne. Twitter moved rapidly and patched the flaw in only two days, resolving the issue on 28 February.
The security researcher was awarded $7,560 for his efforts.