Security Experts:

Connect with us

Hi, what are you looking for?



Twitter Bug Allowed Publishing Tweets From Any Account

A bug in the Twitter social network allowed an attacker to post tweets as a different user, without having access to the victim’s account.

A bug in the Twitter social network allowed an attacker to post tweets as a different user, without having access to the victim’s account.

Discovered by a security researcher going by the name of kedrisec, the issue was reported to Twitter on February 26 and was resolved two days later. The vulnerability was assessed High severity and the reporter received a $7,560 bounty for it.

The issue resided in the handling of Twitter Ads Studio requests, Twitter explains: “By sharing media with a victim user and then modifying the post request with the victim’s account ID the media in question would be posted from the victim’s account.”

No evidence of the flaw being exploited in the wild has been found so far, with the reporter being the only one to have leveraged the vulnerability, Twitter says.

In their write-up, the researcher explains that the issue leverages Twitter’s ads service, which “has media-library with the possibility to upload media-files (video, pictures, GIF-animation).” The service also offers the option to review media-files uploaded before and which were used when a tweet was published.

The library is located at*id_of_user_account*/media and allows the user not only to view the media file, but also to tweet the file or share it with other users. The function for tweeting has access to account_id, owner_id (image owner), user_id (the user the tweet will be published to), and media_key (id of the media-file that is being published).  

Attempting to replace the owner_id and user_id in intercepted GET request and JSON or in POST returned errors. The POST error, however, revealed that the service doesn’t accept the user with the replaced owner_id as the owner of the media file.

The researcher then attempted to modify not only owner_id and user_id, but media_key in POST as well, which resulted in a successful attempt of tweet publication. While this allowed the researcher to publish as any user, it did show a limitation: they could publish only if the user had media-files uploaded and also had to know the media_key of the file, which is almost impossible to get, as it contains 18 digits.

However, if the attacker shared a media-file with the targeted user (meaning the attacker already knows the media_key), the service would consider the victim being the owner of the file, thus allowing the attacker to successfully impersonate the victim when tweeting.

In short, the attack would include the following steps: uploading a file, sharing the file with the targeted user, intercept the query for tweet publication and change in POST the owner_id and user_id (the media_key, which is already known to the attack, doesn’t change).

Related: Hackers Abuse Twitter App to Hijack High-Profile Accounts

Related: Twitter Flaw Allowed Access to Locked Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet