advertisement
advertisement

Bug in Twitter’s ads code allowed hackers to tweet from anyone’s account

Much as some of us might wish, it doesn’t explain Donald Trump’s tweets, but there’s a chance it could explain irregularities in tweets from any number of other Twitter accounts. As former appsec tech lead for twitter, I’ll just say I’m not shocked this was in code from the ads team. https://t.co/TZRYvmuXfj — Charlie Miller … Continue reading “Bug in Twitter’s ads code allowed hackers to tweet from anyone’s account”

Much as some of us might wish, it doesn’t explain Donald Trump’s tweets, but there’s a chance it could explain irregularities in tweets from any number of other Twitter accounts.

advertisement

It, in this case, is a bug that would have allowed hackers to post from anyone’s account–even Trump’s, and even before Trump added two-factor authentication. According to Motherboard, code from Twitter’s ads team had introduced the vulnerability. Discovered in February by someone who goes by the nickname kedrisch, the flaw “in the handling of Twitter Ads Studio requests…allowed an attacker to tweet as any user. By sharing media with a victim user and then modifying the post request with the victim’s account ID the media in question would be posted from the victim’s account. This bug was patched immediately after being triaged and no evidence was found of the flaw being exploited by anyone other than the reporter.” Twitter seems to have paid kedrisch a bounty of $7,500 for discovering the bug.
[Photo: Unsplash user Benjamin Balázs]

advertisement
advertisement

About the author

Daniel Terdiman is a San Francisco-based technology journalist with nearly 20 years of experience. A veteran of CNET and VentureBeat, Daniel has also written for Wired, The New York Times, Time, and many other publications

More