[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Twitter Pro: Best Buy's @twelpforce is full of [security] fail
- To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Twitter Pro: Best Buy's @twelpforce is full of [security] fail
- From: Sam Johnston <samj@xxxxxxxx>
- Date: Sun, 23 Aug 2009 10:24:42 +0200
[I hope this light weekend reading is considered on-topic for
full-disclosure but feel free to moderate/delete/ignore it if not]
Twitter Pro: Best Buy's @twelpforce is full of [security] fail
http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html
As you know I've been paying very close attention to Twitter this week
and while trawling through their blog looking for [ab]use of various
terms they're trying to trademark I found this little chestnut:
BestBuy, Good Stuff. Basically, "BestBuy has created a program they
call Twelpforce. The idea is that employees from across the
organization can interact quickly and easily with customers who have
questions about products". Curious I took a look at @twelpforce and
was greeted with this:
[pic]
Just in case you can't see it from here (or click through to the full
size version), the first tweet is:
@SimonTheSnowman this is true, Best Buy will rule the world. via
@mikelinsalaco
Here we have 12 year old Simon of Being Freakin' Awesome, Inc. (who
can be reached on 1337 and who blogs at http://simonthesnowmanftw.tk/)
being reassured by Mikel Insalaco: "I am the infamous Mikel Insalaco,
I am kind of a big thing. Muthasuckin Mahogany and leatherbound
books". As James Watters would say, the critique here writes iself?
This is in line with Dave Zatz's observations too in suggesting Has
Best Buy’s Twelpforce Already Failed? Dave draws attention to this
classy twelpforcer tweet (among others): "tweet tweet...im such a
homo" - definitely not the sort of thing I'd want associated with my
corporate branding, that's for sure.
This, viewers, is what Twitter has in mind for companies (having come
clean after TechCrunch aired their dirty laundry in public). They are
so excited in fact that "[they]'ve been studying how customers and
businesses interact and derive value from Twitter [and] are putting
together a document based on our studies and we'll find a spot on our
web site to share it with everyone when it's ready". Definitely
looking forward to leafing through that when it's available, though
I'm guessing there'll have to be some fairly agressive pre-press
filtering if this is what the raw feed looks like. Despite appearances
I do rather like Twitter and hope they do well - I'm just not
convinced this is how they're going to make their millions.
Cutting to the chase, see that third tweet: "@missladii0430
#Twelpforce If you are a Best Buy employee you can sign up here. -->
http://tinyurl.com/kp8jwb via @Agent8819". That employee sign up link
takes you here: http://bbyconnect.appspot.com/connect/signup/ See the
problem yet? The first thing they ask you for is "Please enter your
Best Buy employee number and password", followed immediately by your
"Best Buy Corporate email address".
What's that? You want my name (Best Buy addresses are
firstname.lastname@xxxxxxxxxxx), corporate email, employee number and
corporate password to be sent over the big bad Internet? To a preview
release of a service hosted by someone else? That's ok, it's
encrypted, right? WRONG. Never mind, I'll just change "http" to
"https". Wrong again. Though Google App Engine supports SSL it's
disabled for this application/URL so even though it looks like it
works you've just been silently redirected back to the insecure
address. Oops.
So here we have Best Buy soliciting corporate credentials with no
encryption whatsoever, over the public Internet (including any local,
potentially unprotected wireless), to a preview release of a service
they have little control over and, it gets better, verifying them in
real time! If you enter random details into the form it will tell you
instantly (that's right, no tarpitting or other delays) that "Employee
number or password is incorrect". Don't have a Best Buy employee
number to try? That's ok because they're only a Google search away
(along with network configuration information including server names)
and there doesn't appear to be anything stopping you from trying as
many times as you like either so brute force away.
Normally I'd have reported this via the usual channels but they've not
given any contact information whatsoever (except via public Twitter)
and besides, it's such a comedy of errors that they're probably better
off shutting it down than trying to fix it anyway. What I don't get
more than anything else is why they would bother trying to roll their
own when there are plenty of perfectly good services like CoTweet and
HootSuite that are being used with far better results by the likes of
Ford, Coke, Pepsi, JetBlue, Sprint & StarBucks.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/