I have reported a CSRF vulnerability which allows an attacker to authorize any application in victims account on Twitter. It means that an attacker could spam victim’s Twitter account by tweets, follow any profile, send/get direct messages or anything possible with Twitter API. They patched it in 2 days after my report.

You can watch the PoC below: