Much as some of us might wish, it doesn't explain Donald Trump's tweets, but there's a chance it could explain irregularities in tweets from any number of other Twitter accounts.
As former appsec tech lead for twitter, I'll just say I'm not shocked this was in code from the ads team. https://t.co/TZRYvmuXfj— Charlie Miller (@0xcharlie) May 23, 2017
It, in this case, is a bug that would have allowed hackers to post from anyone's account–even Trump's, and even before Trump added two-factor authentication. According to Motherboard, code from Twitter's ads team had introduced the vulnerability. Discovered in February by someone who goes by the nickname kedrisch, the flaw "in the handling of Twitter Ads Studio requests…allowed an attacker to tweet as any user. By sharing media with a victim user and then modifying the post request with the victim's account ID the media in question would be posted from the victim's account. This bug was patched immediately after being triaged and no evidence was found of the flaw being exploited by anyone other than the reporter." Twitter seems to have paid kedrisch a bounty of $7,500 for discovering the bug.
[Photo: Unsplash user Benjamin Balázs] DT