From Nautilus file manager thumbnail to code execution via ghostscript and evince... by @taviso & @tehjh http://seclists.org/oss-sec/2018/q3/157 …pic.twitter.com/UGbUSwXcPe
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
I blame both for using unsafe thumbnailing backends rather than a minimal one that only reads png and jpeg.
As if there haden't been loads of vulnerabilites in libpng and libjpeg in the past
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libpng …
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libjpeg …
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libjpeg-turbo …
By the way, guess what your browser uses to render PNG and JPEG. Or webfonts,,,
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=freetype …
There are much better decoders...
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.