A security researcher discovered a critical vulnerability in the advertising code of Twitter, the most popular micro-blogging website in the world, which if exploited could let hackers publish updates from any other account without needing access to the victim's profile.
The white-hat hacker, writing in a blog post this week (22 May), claimed to have uncovered the issue while exploring Twitter's code for bugs. He said the flaw could give cybercriminals the ability to "publish entries in Twitter-network by any user of this service."
The vulnerability was initially found on 26 February 2017 and fixed two days later.
The hacker, known as kedrisch, reported the flaw via Twitter's bug bounty service – a programme managed by the organisation HackerOne which lets researchers disclose bugs in exchange for rewards.
In this instance, kedrisch was handed a bounty of $7,560 (£5,832) for his efforts.
The issue he found was in Twitter's advertising code. Essentially, the researcher said flaws existed in how the service's media library uploaded files such as videos, images and gifs to the platform.
Rules surrounding the responsible disclosure programme mean the flaw is only coming to light now.
In a statement, Twitter said: "The reporter discovered a flaw in the handling of Twitter Ads Studio requests which allowed an attacker to tweet as any user.
"By sharing media with a victim user and then modifying the post request with the victim's account ID the media in question would be posted from the victim's account. This bug was patched [...] and no evidence was found of the flaw being exploited by anyone other than the reporter."
Charlie Miller, a security expert well-known for being part of the collective which remotely hacked a 2014 Jeep Cherokee, tweeted: "As former appsec [Application Security] tech lead for Twitter, I'll just say I'm not shocked this was in code from the ads team." He did not elaborate further.
Last December, kedrisch was awarded $1,120 (£864) for finding a less critical flaw which could let a hacker change comments on Twitter's official forums. This was publicly disclosed on 12 May 2017.
Most recently, Twitter issued a warning to users of its Vine service that a bug potentially exposed users' email addresses and phone numbers to unnamed third parties. In an email sent to all impacted Vine users, it said the bug affected the Vine Archive for "less than 24 hours".
Vine was bought by Twitter back in 2012 however the company decided to shut down the popular short video publishing application earlier this year amid a period of heavy job cuts.
"We want to emphasise that this information can't directly be used to access your account, and we have no information indicating that it has been misused," Twitter's email to Vine users stressed. "We take these incidents very seriously, and we're sorry this occurred," it added.