📚 Twitter: Read-only application can publish/delete fleets
💡 Newskategorie: Sicherheitslücken
🔗 Quelle: vulners.com
Summary: Twitter released Fleet yesterday. This feature is working with few APIs, and these APIs are missing permission checks. Description: In /fleets/v1/create of https://api.twitter.com, there is no check to whether if the application has permission to write to the account. /fleets/v1/delete has also this issue. Steps To Reproduce: Install twurl. Authenticate as a read-only application. Execute following command: twurl /fleets/v1/create -X POST --header 'Content-Type: application/json' -d '{"text":"Hey yo"}' A fleet with Hey yo text will be created. Supporting Material/References: {F1075380} Impact The read-only application can publish fleets without getting Write permission. This issue has a similar impact to... ...