A bug in a Twitter product could have allowed attackers to send tweets from any account and delete photos and videos from published tweets, according to a recent blog post by the security researcher who discovered it. It’s the second broad vulnerability in the product, called Studio, that’s come to light recently, raising questions about how well Twitter secures its platform.
Twitter launched Studio last August as a tool for media publishers to streamline the process of publishing video content. But participants in Twitter’s bug bounty program quickly realised they could exploit flaws in Twitter’s code to publish tweets on other people’s accounts without stealing their passwords.
“I started looking out for security loopholes after the launch [of Studio],” researcher Anand Prakash explained in a post, published last week, outlining the vulnerability. He discovered the problem within a day of Studio’s launch and tested it on a friend’s account.
A Twitter spokesperson told Gizmodo in an email that the company fixed the bug within 24 hours of Prakash’s report. The spokesperson added that the company has no evidence that any user accounts were compromised, except for Prakash’s friend’s account, which he accessed with permission to demonstrate the bug.
The bug “could have been used by attackers to tweet from other accounts, upload videos on behalf of user, delete pics/videos from victim’s tweets, view private media uploaded by other Twitter accounts etc.,” Prakash explained.
Because authorisation checks weren’t in place, Prakash was able to substitute the user ID of his target’s account into Studio’s code, allowing him to tweet from the target’s account without access to their password.
Fortunately, it’s likely that no one exploited the bug before Prakash discovered it. On its launch, Studio was only available to publishers who had been whitelisted by Twitter. Twitter patched the bug within 24 hours of Prakash’s report and paid him $5,040 for his research.
But Prakash isn’t the only researcher who discovered serious flaws in Studio. A researcher who goes by Kedrisch told Motherboard that he discovered a similar bug still lingering in Studio’s code this February. The vulnerability Kedrisch found would have apparently allowed attackers to publish tweets from another user’s account, so long as a media file was attached. Twitter fixed this vulnerability in three days, and paid him $7,560 for finding it. (Twitter, like many companies, rewards researchers who responsibly disclose vulnerabilities through its bug bounty program.)
Of course, the ability to tweet from someone else’s account without needing their password could prove quite useful for an attacker—particularly in a time when the US president uses Twitter as his primary platform for communicating with the public. Bug bounty programs are a good way for companies to track down vulnerabilities in their products, but the fact that Studio included such broad vulnerabilities in its rollout doesn’t exactly inspire much confidence.