Before it was fixed earlier this year, a flaw in Twitter could have allowed an attacker to tweet as any user.
Twitter was quick to resolve the issue, fixing it three days after the researcher–a bug hunter who goes by the handle Kedrisch–reported it via HackerOne. Kedrisch found the vulnerability in February and was awarded a $7,560 bounty days later in March. The researcher published details on the flaw earlier this month, but the HackerOne ticket wasn’t made public until Monday.
— kedrisec (@kedrisec) May 4, 2017
The vulnerability was tied to Twitter’s ad platform, ads.twitter.com, a self-service platform that allows companies to promote tweets, accounts, and monitor advertising campaigns across the social network.
According to Kedrisch’s writeup of the vulnerability, he was able to intercept a request and change two parameters, owner_id and user_id, to tweet as another user.
He received a handful of error messages at first but eventually was able to get a response that his tweet was successfully published. The vulnerability, at least at first, relied on the attacker uploading a media file, like an image, into tweets they want to want to send. According to Kedrisch just having the image isn’t enough, an attacker needs the filename associated with the image, a media_key, something that can be difficult to determine.
“User which we use to make a publication must have a media-file uploaded. Moreover, it’s needed needed to know media_key of this file and it’s almost impossible to reveal it by the means of brute force, as it contains 18 digits,” Kedsrisch wrote, “In my explorations I didn’t find 100% way to know this media_key. There were always some restrictions and circumstances which allow to get that media_key.”
By uploading an image file and sharing it with a user – something Twitter Ads allows – Kedrisch realized he could carry out the same attack without that 18 digit code. Instead he found he could intercept the same post request that’s sent to Twitter when a user tweets and swap out the Twitter handle.
Twitter marked the vulnerability as high severity according to Kedrisch’s HackerOne report.
“This bug was patched immediately after being triaged and no evidence was found of the flaw being exploited by anyone other than the reporter,” Twitter told Threatpost Wednesday.
According to Twitter’s HackerOne page the company has paid out $703,240 to researchers for bugs since launching its bug bounty program in May 2014. While Kedrisch’s $7,560 bounty may seem low to some, its in line with what the company regularly pays for a “Significant Authentication Bypass” in Core Twitter: $7,500. Remote code execution vulnerabilities in the service can fetch up to twice that amount, $15,000.