lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <21606dcf0908230124tbe083bfw46a713a01878b403@mail.gmail.com>
Date: Sun, 23 Aug 2009 10:24:42 +0200
From: Sam Johnston <samj@...j.net>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Twitter Pro: Best Buy's @twelpforce is full of
	[security] fail

[I hope this light weekend reading is considered on-topic for
full-disclosure but feel free to moderate/delete/ignore it if not]

Twitter Pro: Best Buy's @twelpforce is full of [security] fail
http://samj.net/2009/08/twitter-pro-best-buys-twelpforce-is.html

As you know I've been paying very close attention to Twitter this week
and while trawling through their blog looking for [ab]use of various
terms they're trying to trademark I found this little chestnut:
BestBuy, Good Stuff. Basically, "BestBuy has created a program they
call Twelpforce. The idea is that employees from across the
organization can interact quickly and easily with customers who have
questions about products". Curious I took a look at @twelpforce and
was greeted with this:

[pic]

Just in case you can't see it from here (or click through to the full
size version), the first tweet is:

    @SimonTheSnowman this is true, Best Buy will rule the world. via
@mikelinsalaco

Here we have 12 year old Simon of Being Freakin' Awesome, Inc. (who
can be reached on 1337 and who blogs at http://simonthesnowmanftw.tk/)
being reassured by Mikel Insalaco: "I am the infamous Mikel Insalaco,
I am kind of a big thing. Muthasuckin Mahogany and leatherbound
books". As James Watters would say, the critique here writes iself?

This is in line with Dave Zatz's observations too in suggesting Has
Best Buy’s Twelpforce Already Failed? Dave draws attention to this
classy twelpforcer tweet (among others): "tweet tweet...im such a
homo" - definitely not the sort of thing I'd want associated with my
corporate branding, that's for sure.

This, viewers, is what Twitter has in mind for companies (having come
clean after TechCrunch aired their dirty laundry in public). They are
so excited in fact that "[they]'ve been studying how customers and
businesses interact and derive value from Twitter [and] are putting
together a document based on our studies and we'll find a spot on our
web site to share it with everyone when it's ready". Definitely
looking forward to leafing through that when it's available, though
I'm guessing there'll have to be some fairly agressive pre-press
filtering if this is what the raw feed looks like. Despite appearances
I do rather like Twitter and hope they do well - I'm just not
convinced this is how they're going to make their millions.

Cutting to the chase, see that third tweet: "@missladii0430
#Twelpforce If you are a Best Buy employee you can sign up here. -->
http://tinyurl.com/kp8jwb via @Agent8819". That employee sign up link
takes you here: http://bbyconnect.appspot.com/connect/signup/ See the
problem yet? The first thing they ask you for is "Please enter your
Best Buy employee number and password", followed immediately by your
"Best Buy Corporate email address".

What's that? You want my name (Best Buy addresses are
firstname.lastname@...tbuy.com), corporate email, employee number and
corporate password to be sent over the big bad Internet? To a preview
release of a service hosted by someone else? That's ok, it's
encrypted, right? WRONG. Never mind, I'll just change "http" to
"https". Wrong again. Though Google App Engine supports SSL it's
disabled for this application/URL so even though it looks like it
works you've just been silently redirected back to the insecure
address. Oops.

So here we have Best Buy soliciting corporate credentials with no
encryption whatsoever, over the public Internet (including any local,
potentially unprotected wireless), to a preview release of a service
they have little control over and, it gets better, verifying them in
real time! If you enter random details into the form it will tell you
instantly (that's right, no tarpitting or other delays) that "Employee
number or password is incorrect". Don't have a Best Buy employee
number to try? That's ok because they're only a Google search away
(along with network configuration information including server names)
and there doesn't appear to be anything stopping you from trying as
many times as you like either so brute force away.

Normally I'd have reported this via the usual channels but they've not
given any contact information whatsoever (except via public Twitter)
and besides, it's such a comedy of errors that they're probably better
off shutting it down than trying to fix it anyway. What I don't get
more than anything else is why they would bother trying to roll their
own when there are plenty of perfectly good services like CoTweet and
HootSuite that are being used with far better results by the likes of
Ford, Coke, Pepsi, JetBlue, Sprint & StarBucks.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ