[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
- To: Cal Leeming <cal@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
- From: Reverse Skills <contact@xxxxxxxxxxxxxxxxx>
- Date: Tue, 15 Mar 2011 16:02:10 +0100
The problem is to allow unlimited access to that resource, not the
resource itself.
2011/3/15 Cal Leeming <cal@xxxxxxxxxxxxxxxx>:
> This conceptual flaw exists in most web apps which have a "reset password by
> email address" feature, as most will display an error if the email address
> does not exist in their database.
>
> On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills <contact@xxxxxxxxxxxxxxxxx>
> wrote:
>>
>> Simple and easy way to get a list of email accounts used on Twitter.
>> For Phishing campaigns, custom Spam...
>>
>> Twitter has been notified and I suppose someday be fixed if they think
>> there should be filtered.
>>
>> When you create a new Twitter account, the form requesting a mailing
>> address. Twitter verify that the email account is not being used, but
>> does not check any user token or limit the usage (captcha/block).
>>
>> https://twitter.com/signup ->
>> http://twitter.com/users/email_available?email=
>>
>> We just need to automate it with a simple script , ***Everything you
>> do will be your responsibility***
>> -------------------
>> #!/usr/bin/python
>> import sys, json, urllib2, os
>>
>> f =
>> urllib2.urlopen("http://twitter.com/users/email_available?email="+sys.argv[1])
>> data = json.load(f)
>> def valid()
>> ..
>> Email has already been taken" in data ["msg"] <-- reply
>> ..
>> -------------------
>>
>> We just need a list of users to test.. for example :
>> http://twitter.com/about/employees (don't be evil is just an
>> example!)
>> Parsing the name/nickname and testing the {user}@twitter.com a few
>> minutes later we have a list of ~ 400 valid internal email
>> *@twitter.com. An attacker could probably.. a brute force attack
>> (Google Apps), would send Phishing or try to exploit some browser bugs
>> or similar. #Aurora #Google. Most of these e-mail are internal, not
>> public..
>> There are also some that make you think they are used to such
>> A-Directory system users :
>> ..
>> apache@xxxxxxxxxxx
>> root@xxxxxxxxxxx
>> mail@xxxxxxxxxxx
>> ..
>>
>> But, if you download a database Rockyou / Singles.org / Gawker /
>> Rootkit.com or just a typical dictionaries and domains will be quite
>> easy to get hold of a list of users large enough (*@hotmail.com,
>> *@gmail.com, etc).For example in my case I used to find user accounts
>> in a pentest of a company that used Twitter. But probably not a good
>> idea to allow unlimited access, a malicious user could use these user
>> lists for Spam or Phishing.
>>
>> --
>> Security Researcher
>> http://twitter.com/revskills
>> --
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
--
--
Security Researcher
http://twitter.com/revskills
--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/