Security Experts:

Connect with us

Hi, what are you looking for?



Twitter Bug Allowed Publishing Tweets From Any Account

A bug in the Twitter social network allowed an attacker to post tweets as a different user, without having access to the victim’s account.

A bug in the Twitter social network allowed an attacker to post tweets as a different user, without having access to the victim’s account.

Discovered by a security researcher going by the name of kedrisec, the issue was reported to Twitter on February 26 and was resolved two days later. The vulnerability was assessed High severity and the reporter received a $7,560 bounty for it.

The issue resided in the handling of Twitter Ads Studio requests, Twitter explains: “By sharing media with a victim user and then modifying the post request with the victim’s account ID the media in question would be posted from the victim’s account.”

No evidence of the flaw being exploited in the wild has been found so far, with the reporter being the only one to have leveraged the vulnerability, Twitter says.

In their write-up, the researcher explains that the issue leverages Twitter’s ads service, which “has media-library with the possibility to upload media-files (video, pictures, GIF-animation).” The service also offers the option to review media-files uploaded before and which were used when a tweet was published.

The library is located at*id_of_user_account*/media and allows the user not only to view the media file, but also to tweet the file or share it with other users. The function for tweeting has access to account_id, owner_id (image owner), user_id (the user the tweet will be published to), and media_key (id of the media-file that is being published).  

Attempting to replace the owner_id and user_id in intercepted GET request and JSON or in POST returned errors. The POST error, however, revealed that the service doesn’t accept the user with the replaced owner_id as the owner of the media file.

The researcher then attempted to modify not only owner_id and user_id, but media_key in POST as well, which resulted in a successful attempt of tweet publication. While this allowed the researcher to publish as any user, it did show a limitation: they could publish only if the user had media-files uploaded and also had to know the media_key of the file, which is almost impossible to get, as it contains 18 digits.

However, if the attacker shared a media-file with the targeted user (meaning the attacker already knows the media_key), the service would consider the victim being the owner of the file, thus allowing the attacker to successfully impersonate the victim when tweeting.

In short, the attack would include the following steps: uploading a file, sharing the file with the targeted user, intercept the query for tweet publication and change in POST the owner_id and user_id (the media_key, which is already known to the attack, doesn’t change).

Related: Hackers Abuse Twitter App to Hijack High-Profile Accounts

Related: Twitter Flaw Allowed Access to Locked Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.