Full Disclosure mailing list archives
Re: Using Twitter for Phishing Campaign / Spam / Followers?
From: huj huj huj <datskihuj () gmail com>
Date: Fri, 18 Mar 2011 16:58:08 +0100
with services like decaptcher and deathbycaptcha this would not be a hindrance anyway 2011/3/15 Cal Leeming <cal () foxwhisper co uk>
Agreed. These public API methods should have brute force protection at the very least. But, because they want instant in-line form validation for email address availability, this makes it difficult. In an ideal world, they'd have a CAPTCHA on the form, and only validate upon submit with valid captcha. On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills <contact () reverseskills comwrote:The problem is to allow unlimited access to that resource, not the resource itself. 2011/3/15 Cal Leeming <cal () foxwhisper co uk>:This conceptual flaw exists in most web apps which have a "resetpassword byemail address" feature, as most will display an error if the emailaddressdoes not exist in their database. On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills <contact () reverseskills com>wrote:Simple and easy way to get a list of email accounts used on Twitter. For Phishing campaigns, custom Spam... Twitter has been notified and I suppose someday be fixed if they think there should be filtered. When you create a new Twitter account, the form requesting a mailing address. Twitter verify that the email account is not being used, but does not check any user token or limit the usage (captcha/block). https://twitter.com/signup -> http://twitter.com/users/email_available?email= We just need to automate it with a simple script , ***Everything you do will be your responsibility*** ------------------- #!/usr/bin/python import sys, json, urllib2, os f = urllib2.urlopen("http://twitter.com/users/email_available?email="+sys.argv[1])data = json.load(f) def valid() .. Email has already been taken" in data ["msg"] <-- reply .. ------------------- We just need a list of users to test.. for example : http://twitter.com/about/employees (don't be evil is just an example!) Parsing the name/nickname and testing the {user}@twitter.com a few minutes later we have a list of ~ 400 valid internal email *@twitter.com. An attacker could probably.. a brute force attack (Google Apps), would send Phishing or try to exploit some browser bugs or similar. #Aurora #Google. Most of these e-mail are internal, not public.. There are also some that make you think they are used to such A-Directory system users : .. apache () twitter com root () twitter com mail () twitter com .. But, if you download a database Rockyou / Singles.org / Gawker / Rootkit.com or just a typical dictionaries and domains will be quite easy to get hold of a list of users large enough (*@hotmail.com, *@gmail.com, etc).For example in my case I used to find user accounts in a pentest of a company that used Twitter. But probably not a good idea to allow unlimited access, a malicious user could use these user lists for Spam or Phishing. -- Security Researcher http://twitter.com/revskills -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- -- Security Researcher http://twitter.com/revskills --_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Using Twitter for Phishing Campaign / Spam / Followers? Reverse Skills (Mar 15)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 18)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Reverse Skills (Mar 15)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 18)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? huj huj huj (Mar 18)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 18)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? huj huj huj (Mar 21)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 21)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? huj huj huj (Mar 23)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Reverse Skills (Mar 15)
- Re: Using Twitter for Phishing Campaign / Spam / Followers? Cal Leeming (Mar 18)