Until February 28 of this year, anyone could have tweeted from anybody else’s Twitter account exploiting a bug in the social network’s ad service.
A security researcher found that a flaw in Twitter Ad Studio, a service that allows advertisers to upload media, allowed a hacker to post tweets as any other user.
Videos by VICE
“By sharing media with a victim user and then modifying the post request with the victim’s account ID the media in question would be posted from the victim’s account,” Twitter wrote in its summary of the bug. In plain English, this means that the attacker simply needed to fiddle with the code that gets sent to Twitter when posting something to trick the social network into posting the tweet as somebody else—all without having to hack anyone’s account.
Read more: How Hackers Could Have Pwned You With a Nasty Steam Bug
The researcher, who goes by Kedrisch, found the flaw in February and reported it to Twitter on February 25 after spending “several days” looking for bugs, as he told Motherboard.
The bug was “quite not difficult” to exploit, Kedrisch told Motherboard.
The company fixed it three days later, and awarded the researcher with a bounty of $7,560. Considering the bug allowed anyone to impersonate anyone else on Twitter, that sum might seem a bit low. But the most Twitter pays for a bug is $15,000, according to the social networks page on Hacker One, a service that allows independent security researchers to report bugs to companies.
Twitter did not immediately respond to a request for comment.
Subscribe to Science Solved It , Motherboard’s new show about the greatest mysteries that were solved by science.