A basic premise of Twitter is that the user (@) is the one who is able to send a message for any given account. But that premise was challenged by a security bug that Twitter patched at the end of February that was only publicly disclosed on May 22.
The bug was reported to Twitter by a security researcher who uses the alias ‘Kedrisch’ by way of Twitter’s bug bounty program run by Hackerone.
“The reporter discovered a flaw in the handling of Twitter Ads Studio requests which allowed an attacker to tweet as any user,” the Hackerone bug report states. “By sharing media with a victim user and then modifying the post request with the victim’s account ID, the media in question would be posted from the victim’s account.”
In a detailed writeup on the flaw, Kedrisch reveals the steps taken to discover the vulnerability. Basically the process involved intercepting the owner_id and user_id parameters and and manipulating them as part of the GET and POST actions.
The interception of the parameters was done on the Twitter ad network service on https://ads.twitter.com and is particularly worrisome, since according to Kedrisch it, “… allowed hackers to publish entries in Twitter-network by any user of this service, meanwhile without having the access to the account of a victim.”
In the Hackerone bug report, Twitter noted that it had no evidence that the vulnerability was ever exploited in the wild, that is by anyone other than Kedrisch.
At least one former Twitter security engineer was not surprised by Kedrisch’s discovery of a flaw leveraging the Twitter advertising system.
“As former appsec tech lead for twitter, I’ll just say I’m not shocked this was in code from the ads team,” security researcher Charlie Miller wrote in a Twitter message.
Miller is a world renowned security researcher and is famous for winning the Pwn2own hacking competition, being the first to hack an iPhone and hacking a Jeep while a reporter was in it. At least one of Miller’s former co-workers at Twitter took issue with his remarks on Twitter. Miller responded, “if a team is responsible for the vast majority of security issues, maybe they should feel not awesome?”
Bug bounty award
Kedrisch was awarded $7,560 by Twitter for the disclosure of the ad system related account takeover attack, which Twitter itself rated as high severity.
This isn’t the first time Kedrisch has disclosed security vulnerabilities to Twitter. In December 2016, Twitter awarded Kedrisch $1,120 for a low severity bug in the Twitter translate forum (https://translate.twitter.com/forum/) that could have potentially enabled an attacker to change a user’s comments.
In October 2016, Kedrisch reported an information disclosure flaw in the publish.twitter.com service that could have enabled an attacker to like the Tweets of a private account. Twitter rated that particular flaw as medium severity and awarded Kedrisch $1,260.
Twitter has also awarded Kedrisch with three other bounties totaling $1,540 for other bugs that have not yet been publicly disclosed.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.