[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
- To: Reverse Skills <contact@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?
- From: Cal Leeming <cal@xxxxxxxxxxxxxxxx>
- Date: Tue, 15 Mar 2011 15:10:46 +0000
Agreed. These public API methods should have brute force protection at the
very least. But, because they want instant in-line form validation for email
address availability, this makes it difficult. In an ideal world, they'd
have a CAPTCHA on the form, and only validate upon submit with valid
captcha.
On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills
<contact@xxxxxxxxxxxxxxxxx>wrote:
> The problem is to allow unlimited access to that resource, not the
> resource itself.
>
> 2011/3/15 Cal Leeming <cal@xxxxxxxxxxxxxxxx>:
> > This conceptual flaw exists in most web apps which have a "reset password
> by
> > email address" feature, as most will display an error if the email
> address
> > does not exist in their database.
> >
> > On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills <
> contact@xxxxxxxxxxxxxxxxx>
> > wrote:
> >>
> >> Simple and easy way to get a list of email accounts used on Twitter.
> >> For Phishing campaigns, custom Spam...
> >>
> >> Twitter has been notified and I suppose someday be fixed if they think
> >> there should be filtered.
> >>
> >> When you create a new Twitter account, the form requesting a mailing
> >> address. Twitter verify that the email account is not being used, but
> >> does not check any user token or limit the usage (captcha/block).
> >>
> >> https://twitter.com/signup ->
> >> http://twitter.com/users/email_available?email=
> >>
> >> We just need to automate it with a simple script , ***Everything you
> >> do will be your responsibility***
> >> -------------------
> >> #!/usr/bin/python
> >> import sys, json, urllib2, os
> >>
> >> f =
> >> urllib2.urlopen("http://twitter.com/users/email_available?email=
> "+sys.argv[1])
> >> data = json.load(f)
> >> def valid()
> >> ..
> >> Email has already been taken" in data ["msg"] <-- reply
> >> ..
> >> -------------------
> >>
> >> We just need a list of users to test.. for example :
> >> http://twitter.com/about/employees (don't be evil is just an
> >> example!)
> >> Parsing the name/nickname and testing the {user}@twitter.com a few
> >> minutes later we have a list of ~ 400 valid internal email
> >> *@twitter.com. An attacker could probably.. a brute force attack
> >> (Google Apps), would send Phishing or try to exploit some browser bugs
> >> or similar. #Aurora #Google. Most of these e-mail are internal, not
> >> public..
> >> There are also some that make you think they are used to such
> >> A-Directory system users :
> >> ..
> >> apache@xxxxxxxxxxx
> >> root@xxxxxxxxxxx
> >> mail@xxxxxxxxxxx
> >> ..
> >>
> >> But, if you download a database Rockyou / Singles.org / Gawker /
> >> Rootkit.com or just a typical dictionaries and domains will be quite
> >> easy to get hold of a list of users large enough (*@hotmail.com,
> >> *@gmail.com, etc).For example in my case I used to find user accounts
> >> in a pentest of a company that used Twitter. But probably not a good
> >> idea to allow unlimited access, a malicious user could use these user
> >> lists for Spam or Phishing.
> >>
> >> --
> >> Security Researcher
> >> http://twitter.com/revskills
> >> --
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
>
>
> --
> --
> Security Researcher
> http://twitter.com/revskills
> --
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/