Showing posts from May, 2017

How I took control of your Twitter account (tweeting, viewing/deleting photos and other media)

Summary:This blog post is about an Insecure direct object reference vulnerability on Twitter which could have been used by attackers to tweet from other accounts, upload videos on behalf of user, delete pics/videos from victim's tweets, view private media uploaded by other twitter accounts etc. All endpoints on were vulnerable.

Description:Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.

Twitter had launched a new product named Twitter Studio ( in September 2016. So i started looking out for security loopholes after the launch. All API requests on were sending a parameter named "owner_id" which was twitter user id(publicly available and sequential) of th…