
Publish tweets by any other user - Trufa
http://kedrisec.com/twitter-publish-by-any-user/
======
lol768
I found this difficult to follow, but from what I can gather, sharing the
media file with another user generated a new media key/identifier that was
considered to be owner by the victim - instead of the original user uploading
it?

And then from here, by abusing the ad studio tweet functionality, it's
possible to tweet using the victim's account?

Edit: Twitter's HackerOne summary makes a lot more sense "The reporter
discovered a flaw in the handling of Twitter Ads Studio requests which allowed
an attacker to tweet as any user. By sharing media with a victim user and then
modifying the post request with the victim's account ID the media in question
would be posted from the victim's account. This bug was patched immediately
after being triaged and no evidence was found of the flaw being exploited by
anyone other than the reporter."

