Is It Easy To Tweet As Anyone?
On the 15th of July, 2020, Twitter was Hacked. High profile accounts on Twitter posted a tweet to ask their followers to send Bitcoin. Twitter said it was a social engineering attack, while the media and others claimed it was an insider attack. No matter what the real cause was, human factors were involved.
This brings up an interesting and important question:
As an outsider, how easy is it for someone to tweet as you? On the 12th of June, 2014, a Twitter user with the handle derGeruhn published a tweet with an XSS payload and, almost immediately, every other Twitter user started retweeting the same tweet. It turns out, everyone who saw the tweet automatically retweeted the tweet without the user knowing. In just a matter of minutes, hundreds of people had already seen and retweeted the tweet. The issue here was Cross-Site Scripting, abbreviated XSS. When you tweet HTML Code, Twitter is supposed to show it as text instead of rendering it. But TweetDeck had a bug that if you tweeted something with an emoji in it, that tweet would be rendered as HTML.
I have personally found a few XSS issues on Twitter, and so did other people. From my experience, I can say that there are still plenty of XSS issues on Twitter waiting to be discovered. So, XSS is pretty bad. But what if you wanted to tweet as someone else, pretending to be like them?
On the 26th of Feb, 2017, a bug bounty hunter named Kedrisch submitted a security bug to Twitter that allowed them to do the same. He noted that Twitter studio had an API endpoint for tweeting photos and videos. The endpoint takes several parameters. Some of the important parameters are userid (the ID of the account the tweet will be sent from)and the mediaid (the media's ID to be tweeted). He tried to change the user_id to another account they don't have access to.
It didn't work because that would be a disaster, right?
But the reason might be different from what you think. The API endpoint returned the error "userid is not the owner of the media." Now, there's another feature on Twitter Studio, which allows sharing of media to another user. The next thing Kedrisch tried was to upload media, share it to another account, then change the userid, and boom; he was able to tweet as any user. The issue he found is what is referred to as an "Insecure Direct Object Reference" (aka IDOR). Twitter did not properly check if a user is authorized to access or perform actions on behalf of another account. IDORs are easy to find, as all you need to do is find different API endpoints and try.
You could do much more than just impersonating another user. Imagine if there was an IDOR that allowed changing the email address of another user. It could allow completely taking over the account by resetting the password. Ironically, since they are easy to find, most IDOR issues were already reported through bug bounty programs. Other, much more sophisticated ways could do the same, but hacking can sometimes be very simple. We hope that we can better illustrate the impact of various bugs on bug bounty hunters by describing these attack vectors.