Re: Twitter Pro: Best Buy's @twelpforce is full of [security] fail

["Valdis' Mustache" <securitas.mustata () gmail com>]

Herr Johnston,

I am simply atwitter (pardon the pun, my owner has been drinking this
evening and my follicles are afloat in a sub-par but nonetheless
intoxicating suspension of Chilean Pinot Grigio from the sale rack at
Albertson's) over the devastating significance of this disclosure.

It is simply SHOCKING to my hairy core to imagine that corporations
are making poor use of web applications and ineffectively managing
their branding on the nascent e-cacophony that is known as Web 2.0.

Indeed, it is precisely posts such as this one that this very list was
created for, so that the disclosure process might shame the worst
offenders into covering their naughty bits with much haste!

Do carry on, good sir! Do carry on!

I will doubtless follow your riveting blog and missives on other
Internet fora with much interest from this day forward.


Your humble servant,
El bigoti de Valdis





On 8/23/09, Sam Johnston <samj () samj net> wrote:
> [I hope this light weekend reading is considered on-topic for
> full-disclosure but feel free to moderate/delete/ignore it if not]
>
> Twitter Pro: Best Buy's @twelpforce is full of [security] fail
> http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html
>
> As you know I've been paying very close attention to Twitter this week
> and while trawling through their blog looking for [ab]use of various
> terms they're trying to trademark I found this little chestnut:
> BestBuy, Good Stuff. Basically, "BestBuy has created a program they
> call Twelpforce. The idea is that employees from across the
> organization can interact quickly and easily with customers who have
> questions about products". Curious I took a look at @twelpforce and
> was greeted with this:
>
> [pic]
>
> Just in case you can't see it from here (or click through to the full
> size version), the first tweet is:
>
>     @SimonTheSnowman this is true, Best Buy will rule the world. via
> @mikelinsalaco
>
> Here we have 12 year old Simon of Being Freakin' Awesome, Inc. (who
> can be reached on 1337 and who blogs at http://simonthesnowmanftw.tk/)
> being reassured by Mikel Insalaco: "I am the infamous Mikel Insalaco,
> I am kind of a big thing. Muthasuckin Mahogany and leatherbound
> books". As James Watters would say, the critique here writes iself?
>
> This is in line with Dave Zatz's observations too in suggesting Has
> Best Buy’s Twelpforce Already Failed? Dave draws attention to this
> classy twelpforcer tweet (among others): "tweet tweet...im such a
> homo" - definitely not the sort of thing I'd want associated with my
> corporate branding, that's for sure.
>
> This, viewers, is what Twitter has in mind for companies (having come
> clean after TechCrunch aired their dirty laundry in public). They are
> so excited in fact that "[they]'ve been studying how customers and
> businesses interact and derive value from Twitter [and] are putting
> together a document based on our studies and we'll find a spot on our
> web site to share it with everyone when it's ready". Definitely
> looking forward to leafing through that when it's available, though
> I'm guessing there'll have to be some fairly agressive pre-press
> filtering if this is what the raw feed looks like. Despite appearances
> I do rather like Twitter and hope they do well - I'm just not
> convinced this is how they're going to make their millions.
>
> Cutting to the chase, see that third tweet: "@missladii0430
> #Twelpforce If you are a Best Buy employee you can sign up here. -->
> http://tinyurl.com/kp8jwb via @Agent8819". That employee sign up link
> takes you here: http://bbyconnect.appspot.com/connect/signup/ See the
> problem yet? The first thing they ask you for is "Please enter your
> Best Buy employee number and password", followed immediately by your
> "Best Buy Corporate email address".
>
> What's that? You want my name (Best Buy addresses are
> firstname.lastname () bestbuy com), corporate email, employee number and
> corporate password to be sent over the big bad Internet? To a preview
> release of a service hosted by someone else? That's ok, it's
> encrypted, right? WRONG. Never mind, I'll just change "http" to
> "https". Wrong again. Though Google App Engine supports SSL it's
> disabled for this application/URL so even though it looks like it
> works you've just been silently redirected back to the insecure
> address. Oops.
>
> So here we have Best Buy soliciting corporate credentials with no
> encryption whatsoever, over the public Internet (including any local,
> potentially unprotected wireless), to a preview release of a service
> they have little control over and, it gets better, verifying them in
> real time! If you enter random details into the form it will tell you
> instantly (that's right, no tarpitting or other delays) that "Employee
> number or password is incorrect". Don't have a Best Buy employee
> number to try? That's ok because they're only a Google search away
> (along with network configuration information including server names)
> and there doesn't appear to be anything stopping you from trying as
> many times as you like either so brute force away.
>
> Normally I'd have reported this via the usual channels but they've not
> given any contact information whatsoever (except via public Twitter)
> and besides, it's such a comedy of errors that they're probably better
> off shutting it down than trying to fix it anyway. What I don't get
> more than anything else is why they would bother trying to roll their
> own when there are plenty of perfectly good services like CoTweet and
> HootSuite that are being used with far better results by the likes of
> Ford, Coke, Pepsi, JetBlue, Sprint & StarBucks.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/