[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Using Twitter for Phishing Campaign / Spam / Followers?



with services like decaptcher and deathbycaptcha this would not be a
hindrance anyway

2011/3/15 Cal Leeming <cal@xxxxxxxxxxxxxxxx>

> Agreed. These public API methods should have brute force protection at the
> very least. But, because they want instant in-line form validation for email
> address availability, this makes it difficult. In an ideal world, they'd
> have a CAPTCHA on the form,  and only validate upon submit with valid
> captcha.
>
>
> On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills <contact@xxxxxxxxxxxxxxxxx
> > wrote:
>
>> The problem is to allow unlimited access to that resource, not the
>> resource itself.
>>
>> 2011/3/15 Cal Leeming <cal@xxxxxxxxxxxxxxxx>:
>> > This conceptual flaw exists in most web apps which have a "reset
>> password by
>> > email address" feature, as most will display an error if the email
>> address
>> > does not exist in their database.
>> >
>> > On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills <
>> contact@xxxxxxxxxxxxxxxxx>
>> > wrote:
>> >>
>> >> Simple and easy way to get a list of email accounts used on Twitter.
>> >> For Phishing campaigns, custom Spam...
>> >>
>> >> Twitter has been notified and I suppose someday be fixed if they think
>> >> there should be filtered.
>> >>
>> >> When you create a new Twitter account, the form requesting a mailing
>> >> address. Twitter verify that the email account is not being used, but
>> >> does not check any user token or limit the usage (captcha/block).
>> >>
>> >> https://twitter.com/signup ->
>> >> http://twitter.com/users/email_available?email=
>> >>
>> >> We just need to automate it with a simple script , ***Everything you
>> >> do will be your responsibility***
>> >> -------------------
>> >> #!/usr/bin/python
>> >> import sys, json, urllib2, os
>> >>
>> >> f =
>> >> urllib2.urlopen("http://twitter.com/users/email_available?email=
>> "+sys.argv[1])
>> >> data = json.load(f)
>> >> def valid()
>> >> ..
>> >> Email has already been taken" in data ["msg"] <-- reply
>> >> ..
>> >> -------------------
>> >>
>> >> We just need a list of users to test.. for example :
>> >> http://twitter.com/about/employees  (don't be evil is just an
>> >> example!)
>> >> Parsing the name/nickname and testing the {user}@twitter.com a few
>> >> minutes later we have a list of ~ 400 valid internal email
>> >> *@twitter.com. An attacker could probably.. a brute force attack
>> >> (Google Apps), would send Phishing or try to exploit some browser bugs
>> >> or similar. #Aurora #Google. Most of these e-mail are internal, not
>> >> public..
>> >> There are also some that make you think they are used to such
>> >> A-Directory system users :
>> >> ..
>> >> apache@xxxxxxxxxxx
>> >> root@xxxxxxxxxxx
>> >> mail@xxxxxxxxxxx
>> >> ..
>> >>
>> >> But, if you download a database Rockyou / Singles.org / Gawker /
>> >> Rootkit.com or just a typical dictionaries and domains will be quite
>> >> easy to get hold of a list of users large enough (*@hotmail.com,
>> >> *@gmail.com, etc).For example in my case I used to find user accounts
>> >> in a pentest of a company that used Twitter. But probably not a good
>> >> idea to allow unlimited access, a malicious user could use these user
>> >> lists for Spam or Phishing.
>> >>
>> >> --
>> >> Security Researcher
>> >> http://twitter.com/revskills
>> >> --
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> >
>>
>>
>>
>> --
>> --
>> Security Researcher
>> http://twitter.com/revskills
>> --
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/