|
Full Disclosure
mailing list archives
Re: Using Twitter for Phishing Campaign / Spam / Followers?
From: huj huj huj <datskihuj () gmail com>
Date: Fri, 18 Mar 2011 16:58:08 +0100
with services like decaptcher and deathbycaptcha this would not be a
hindrance anyway
2011/3/15 Cal Leeming <cal () foxwhisper co uk>
Agreed. These public API methods should have brute force protection at the
very least. But, because they want instant in-line form validation for email
address availability, this makes it difficult. In an ideal world, they'd
have a CAPTCHA on the form, and only validate upon submit with valid
captcha.
On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills <contact () reverseskills com
wrote:
The problem is to allow unlimited access to that resource, not the
resource itself.
2011/3/15 Cal Leeming <cal () foxwhisper co uk>:
This conceptual flaw exists in most web apps which have a "reset
password by
email address" feature, as most will display an error if the email
address
does not exist in their database.
On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills <
contact () reverseskills com>
wrote:
Simple and easy way to get a list of email accounts used on Twitter.
For Phishing campaigns, custom Spam...
Twitter has been notified and I suppose someday be fixed if they think
there should be filtered.
When you create a new Twitter account, the form requesting a mailing
address. Twitter verify that the email account is not being used, but
does not check any user token or limit the usage (captcha/block).
https://twitter.com/signup ->
http://twitter.com/users/email_available?email=
We just need to automate it with a simple script , ***Everything you
do will be your responsibility***
-------------------
#!/usr/bin/python
import sys, json, urllib2, os
f =
urllib2.urlopen("http://twitter.com/users/email_available?email=
"+sys.argv[1])
data = json.load(f)
def valid()
..
Email has already been taken" in data ["msg"] <-- reply
..
-------------------
We just need a list of users to test.. for example :
http://twitter.com/about/employees (don't be evil is just an
example!)
Parsing the name/nickname and testing the {user} () twitter com a few
minutes later we have a list of ~ 400 valid internal email
* () twitter com An attacker could probably.. a brute force attack
(Google Apps), would send Phishing or try to exploit some browser bugs
or similar. #Aurora #Google. Most of these e-mail are internal, not
public..
There are also some that make you think they are used to such
A-Directory system users :
..
apache () twitter com
root () twitter com
mail () twitter com
..
But, if you download a database Rockyou / Singles.org / Gawker /
Rootkit.com or just a typical dictionaries and domains will be quite
easy to get hold of a list of users large enough (* () hotmail com,
* () gmail com, etc).For example in my case I used to find user accounts
in a pentest of a company that used Twitter. But probably not a good
idea to allow unlimited access, a malicious user could use these user
lists for Spam or Phishing.
--
Security Researcher
http://twitter.com/revskills
--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
--
Security Researcher
http://twitter.com/revskills
--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
