lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 15 Mar 2011 13:47:25 +0000
From: Cal Leeming <cal@...whisper.co.uk>
To: Reverse Skills <contact@...erseskills.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Using Twitter for Phishing Campaign / Spam /
	Followers?

This conceptual flaw exists in most web apps which have a "reset password by
email address" feature, as most will display an error if the email address
does not exist in their database.

On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills
<contact@...erseskills.com>wrote:

> Simple and easy way to get a list of email accounts used on Twitter.
> For Phishing campaigns, custom Spam...
>
> Twitter has been notified and I suppose someday be fixed if they think
> there should be filtered.
>
> When you create a new Twitter account, the form requesting a mailing
> address. Twitter verify that the email account is not being used, but
> does not check any user token or limit the usage (captcha/block).
>
> https://twitter.com/signup ->
> http://twitter.com/users/email_available?email=
>
> We just need to automate it with a simple script , ***Everything you
> do will be your responsibility***
> -------------------
> #!/usr/bin/python
> import sys, json, urllib2, os
>
> f = urllib2.urlopen("http://twitter.com/users/email_available?email=
> "+sys.argv[1])
> data = json.load(f)
> def valid()
> ..
> Email has already been taken" in data ["msg"] <-- reply
> ..
> -------------------
>
> We just need a list of users to test.. for example :
> http://twitter.com/about/employees  (don't be evil is just an
> example!)
> Parsing the name/nickname and testing the {user}@...tter.com a few
> minutes later we have a list of ~ 400 valid internal email
> *@...tter.com. An attacker could probably.. a brute force attack
> (Google Apps), would send Phishing or try to exploit some browser bugs
> or similar. #Aurora #Google. Most of these e-mail are internal, not
> public..
> There are also some that make you think they are used to such
> A-Directory system users :
> ..
> apache@...tter.com
> root@...tter.com
> mail@...tter.com
> ..
>
> But, if you download a database Rockyou / Singles.org / Gawker /
> Rootkit.com or just a typical dictionaries and domains will be quite
> easy to get hold of a list of users large enough (*@...mail.com,
> *@...il.com, etc).For example in my case I used to find user accounts
> in a pentest of a company that used Twitter. But probably not a good
> idea to allow unlimited access, a malicious user could use these user
> lists for Spam or Phishing.
>
> --
> Security Researcher
> http://twitter.com/revskills
> --
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ