advertisement
advertisement

Bug in Twitter’s ads code allowed hackers to tweet from anyone’s account

Much as some of us might wish, it doesn’t explain Donald Trump’s tweets, but there’s a chance it could explain irregularities in tweets from any number of other Twitter accounts.

It, in this case, is a bug that would have allowed hackers to post from anyone’s account–even Trump’s, and even before Trump added two-factor authentication. According to Motherboard, code from Twitter’s ads team had introduced the vulnerability. Discovered in February by someone who goes by the nickname kedrisch, the flaw “in the handling of Twitter Ads Studio requests…allowed an attacker to tweet as any user. By sharing media with a victim user and then modifying the post request with the victim’s account ID the media in question would be posted from the victim’s account. This bug was patched immediately after being triaged and no evidence was found of the flaw being exploited by anyone other than the reporter.” Twitter seems to have paid kedrisch a bounty of $7,500 for discovering the bug.
[Photo: Unsplash user Benjamin Balázs]DT