Full Disclosure mailing list archives
Re: Twitter Pro: Best Buy's @twelpforce is full of [security] fail
From: Iadnah <iadnah () uplinklounge com>
Date: Sun, 23 Aug 2009 07:54:24 -0400
This is hilarious. I like to point and laugh at the geek squad cars in my area and the hollow headed zombies in the stores, but this just takes the cake! Best Buy has to hire some of the stupidest motherfuckers they can find. I've actually heard of them turning away potential employees who have an A+ cert for being over qualified... Sam Johnston wrote:
[I hope this light weekend reading is considered on-topic for full-disclosure but feel free to moderate/delete/ignore it if not] Twitter Pro: Best Buy's @twelpforce is full of [security] fail http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html As you know I've been paying very close attention to Twitter this week and while trawling through their blog looking for [ab]use of various terms they're trying to trademark I found this little chestnut: BestBuy, Good Stuff. Basically, "BestBuy has created a program they call Twelpforce. The idea is that employees from across the organization can interact quickly and easily with customers who have questions about products". Curious I took a look at @twelpforce and was greeted with this: [pic] Just in case you can't see it from here (or click through to the full size version), the first tweet is: @SimonTheSnowman this is true, Best Buy will rule the world. via @mikelinsalaco Here we have 12 year old Simon of Being Freakin' Awesome, Inc. (who can be reached on 1337 and who blogs at http://simonthesnowmanftw.tk/) being reassured by Mikel Insalaco: "I am the infamous Mikel Insalaco, I am kind of a big thing. Muthasuckin Mahogany and leatherbound books". As James Watters would say, the critique here writes iself? This is in line with Dave Zatz's observations too in suggesting Has Best Buy’s Twelpforce Already Failed? Dave draws attention to this classy twelpforcer tweet (among others): "tweet tweet...im such a homo" - definitely not the sort of thing I'd want associated with my corporate branding, that's for sure. This, viewers, is what Twitter has in mind for companies (having come clean after TechCrunch aired their dirty laundry in public). They are so excited in fact that "[they]'ve been studying how customers and businesses interact and derive value from Twitter [and] are putting together a document based on our studies and we'll find a spot on our web site to share it with everyone when it's ready". Definitely looking forward to leafing through that when it's available, though I'm guessing there'll have to be some fairly agressive pre-press filtering if this is what the raw feed looks like. Despite appearances I do rather like Twitter and hope they do well - I'm just not convinced this is how they're going to make their millions. Cutting to the chase, see that third tweet: "@missladii0430 #Twelpforce If you are a Best Buy employee you can sign up here. --> http://tinyurl.com/kp8jwb via @Agent8819". That employee sign up link takes you here: http://bbyconnect.appspot.com/connect/signup/ See the problem yet? The first thing they ask you for is "Please enter your Best Buy employee number and password", followed immediately by your "Best Buy Corporate email address". What's that? You want my name (Best Buy addresses are firstname.lastname () bestbuy com), corporate email, employee number and corporate password to be sent over the big bad Internet? To a preview release of a service hosted by someone else? That's ok, it's encrypted, right? WRONG. Never mind, I'll just change "http" to "https". Wrong again. Though Google App Engine supports SSL it's disabled for this application/URL so even though it looks like it works you've just been silently redirected back to the insecure address. Oops. So here we have Best Buy soliciting corporate credentials with no encryption whatsoever, over the public Internet (including any local, potentially unprotected wireless), to a preview release of a service they have little control over and, it gets better, verifying them in real time! If you enter random details into the form it will tell you instantly (that's right, no tarpitting or other delays) that "Employee number or password is incorrect". Don't have a Best Buy employee number to try? That's ok because they're only a Google search away (along with network configuration information including server names) and there doesn't appear to be anything stopping you from trying as many times as you like either so brute force away. Normally I'd have reported this via the usual channels but they've not given any contact information whatsoever (except via public Twitter) and besides, it's such a comedy of errors that they're probably better off shutting it down than trying to fix it anyway. What I don't get more than anything else is why they would bother trying to roll their own when there are plenty of perfectly good services like CoTweet and HootSuite that are being used with far better results by the likes of Ford, Coke, Pepsi, JetBlue, Sprint & StarBucks. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Twitter Pro: Best Buy's @twelpforce is full of [security] fail Sam Johnston (Aug 23)
- Re: Twitter Pro: Best Buy's @twelpforce is full of [security] fail Valdis' Mustache (Aug 23)
- Re: Twitter Pro: Best Buy's @twelpforce is full of [security] fail Iadnah (Aug 23)
- Re: Twitter Pro: Best Buy's @twelpforce is full of [security] fail Iadnah (Aug 23)