Over the years, Twitter’s become a lot more than just a social network. It’s helped overthrow governments, elect a real estate tycoon to the White House, and even get people free chicken nuggets. But even the biggest tech companies can have some pretty basic security vulnerabilities.
An Indian ethical hacker has revealed that last year, he’d discovered a way to post tweets from any account he wished. This is fairly serious — Twitter’s home to all manner of celebrities, from Presidents to pop singers, strangers being able to control their accounts can have some major ramifications. Anand Prakash says he found a vulnerability on the Twitter Studio product. “Twitter had launched a new product named Twitter Studio (studio.twitter.com) in September 2016. So I started looking out for security loopholes after the launch. All API requests on studio.twitter.com were sending a parameter named “owner_id”which was twitter user id (publicly available and sequential) of the logged in user. Owner_id parameter was missing authorisation checks changing which allowed me to take actions on behalf of other twitter users,” he said.
Using this vulnerability, Prakash was able to easily tweet from a friend’s account, and demonstrated his hack in a video. Prakash says the vulnerability wasn’t limiting to tweeting — he could also upload photos and videos from other accounts, delete videos other accounts had posted, and even access private files people had uploaded on Twitter.
Prakash chose to use his superpower for good instead of evil — instead of taking over Twitter accounts, like several hackers have been doing in the past, he reported the vulnerability to Twitter. The San Francisco-based company rewarded him $5,040 (Rs. 3.25 lakh) for his efforts.
This isn’t the first time Anand Prakash has detected a vulnerability in a major corporation — last year, he’d been awarded Rs. 10 lakh by Facebook for detecting a bug on their systems. He was also paid Rs. 3 lakh by Uber when he told them of how he’d discovered a way to take an unlimited number of rides for free. Prakash graduated from Vellore Institute of Technology in 2014 with a degree in Computer Science. He’d been interested in internet security right from college, having interned with the Haryana Police in its Cyber Security team. After graduating, he’d worked with Flipkart for two years as a Security Researcher.