Another Twitter account takeover Vulnerable spotted
By Prempal Singh
Again an independent researcher found a method to take control of Twitter accounts to Twitter update and upload media.
Investigator Anand Prakash spotted an insecure direct object reference point vulnerability in Twitter’s code, which could have recently been exploited allowing someone to tweet from another account, upload videos on part of other users, erase pics/videos from victim’s Twitter posts, view private media published by other Twitter documents.
Prakash was probing the Twitter Studio feature for security bugs where he uncovered “all API request on the studio. twitter. com were sending a parameter known as “owner_id” which has been Twitter consumer id (publicly available and sequential) of the logged in user, ” the post said. “Owner_id framework missing authorisation investigations changing which allowed me personally to take actions on behalf of other Twitter users. ”
The investigator released proof of principle videos to show how the vulnerability could trickle private media and how an attacker could erase media from the victim’s accounts. Prakash said this individual reported his finding to Twitter on August 29, 2016, and received a $5, 049 bug bounty.
Source: www.scmagazine.com