X (Formerly Twitter): [Studio.twitter.com] See someone else pics

Hi Team, Below URL is missing authorisation where user A who is not having access to user B's data is able to view the video/pics by user. Vulnerable request: GET /1/library/list.json?accountid=4503599659510351&ownerid=12&limit=20&offset=0 HTTP/1.1 Host: studio.twitter.com User-Agent: Mozilla/5.0...