Full Disclosure mailing list archives
Re: Using Twitter for Phishing Campaign / Spam / Followers?
From: Cal Leeming <cal () foxwhisper co uk>
Date: Fri, 18 Mar 2011 16:36:37 +0000
Lol, I didn't know about the commercial product 'decaptcher'. For shits and giggles, I was going to write a decaptcha myself and release as open source, never had time though :S One option would be to apply rate limitations to API calls per IP. Or, possibly some reallllllllly heavily obfuscated JS which does key calculation with a matching server side algo, and injects the value into the form upon submission. This is one of the methods we use on our paid adult sites. Unless the person is really determined (and has the patience to deobfuscate, then port to their own code), or their bots have spidermonkey built in, then it usually fends off most botters. To make it harder, we also have a library of about 500 of these (each with a different key build algo), which are cycled automatically lol. Example: $(function() { var _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]); var _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n); }); Again, not perfect, but it's worked well for us :) On Fri, Mar 18, 2011 at 3:58 PM, huj huj huj <datskihuj () gmail com> wrote:
with services like decaptcher and deathbycaptcha this would not be a hindrance anyway 2011/3/15 Cal Leeming <cal () foxwhisper co uk>Agreed. These public API methods should have brute force protection at the very least. But, because they want instant in-line form validation for email address availability, this makes it difficult. In an ideal world, they'd have a CAPTCHA on the form, and only validate upon submit with valid captcha. On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills < contact () reverseskills com> wrote:The problem is to allow unlimited access to that resource, not the resource itself. 2011/3/15 Cal Leeming <cal () foxwhisper co uk>:This conceptual flaw exists in most web apps which have a "resetpassword byemail address" feature, as most will display an error if the emailaddressdoes not exist in their database. On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills <contact () reverseskills com>wrote:Simple and easy way to get a list of email accounts used on Twitter. For Phishing campaigns, custom Spam... Twitter has been notified and I suppose someday be fixed if they think there should be filtered. When you create a new Twitter account, the form requesting a mailing address. Twitter verify that the email account is not being used, but does not check any user token or limit the usage (captcha/block). https://twitter.com/signup -> http://twitter.com/users/email_available?email= We just need to automate it with a simple script , ***Everything you do will be your responsibility*** ------------------- #!/usr/bin/python import sys, json, urllib2, os f = urllib2.urlopen("http://twitter.com/users/email_available?email="+sys.argv[1])data = json.load(f) def valid() .. Email has already been taken" in data ["msg"] <-- reply .. ------------------- We just need a list of users to test.. for example : http://twitter.com/about/employees (don't be evil is just an example!) Parsing the name/nickname and testing the {user}@twitter.com a few minutes later we have a list of ~ 400 valid internal email *@twitter.com. An attacker could probably.. a brute force attack (Google Apps), would send Phishing or try to exploit some browser bugs or similar. #Aurora #Google. Most of these e-mail are internal, not public.. There are also some that make you think they are used to such A-Directory system users : .. apache () twitter com root () twitter com mail () twitter com .. But, if you download a database Rockyou / Singles.org / Gawker / Rootkit.com or just a typical dictionaries and domains will be quite easy to get hold of a list of users large enough (*@hotmail.com, *@gmail.com, etc).For example in my case I used to find user accounts in a pentest of a company that used Twitter. But probably not a good idea to allow unlimited access, a malicious user could use these user lists for Spam or Phishing. -- Security Researcher http://twitter.com/revskills -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- -- Security Researcher http://twitter.com/revskills --_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Using Twitter for Phishing Campaign / Spam / Followers? Reverse Skills (Mar 15)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 18)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Reverse Skills (Mar 15)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 18)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? huj huj huj (Mar 18)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 18)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? huj huj huj (Mar 21)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 21)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? huj huj huj (Mar 23)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Reverse Skills (Mar 15)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 18)