lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 18 Mar 2011 16:36:37 +0000
From: Cal Leeming <cal@...whisper.co.uk>
To: huj huj huj <datskihuj@...il.com>, contact@...erseskills.com, 
	full-disclosure@...ts.grok.org.uk
Subject: Re: Using Twitter for Phishing Campaign / Spam /
	Followers?

Lol, I didn't know about the commercial product 'decaptcher'.

For shits and giggles, I was going to write a decaptcha myself and release
as open source, never had time though :S

One option would be to apply rate limitations to API calls per IP.

Or, possibly some reallllllllly heavily obfuscated JS which does key
calculation with a matching server side algo, and injects the value into the
form upon submission. This is one of the methods we use on our paid adult
sites. Unless the person is really determined (and has the patience to
deobfuscate, then port to their own code), or their bots have spidermonkey
built in, then it usually fends off most botters.

To make it harder, we also have a library of about 500 of these (each with a
different key build algo), which are cycled automatically lol.

Example:

$(function() { var
_0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
var
_0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
});

Again, not perfect, but it's worked well for us :)


On Fri, Mar 18, 2011 at 3:58 PM, huj huj huj <datskihuj@...il.com> wrote:

> with services like decaptcher and deathbycaptcha this would not be a
> hindrance anyway
>
> 2011/3/15 Cal Leeming <cal@...whisper.co.uk>
>
>> Agreed. These public API methods should have brute force protection at the
>> very least. But, because they want instant in-line form validation for email
>> address availability, this makes it difficult. In an ideal world, they'd
>> have a CAPTCHA on the form,  and only validate upon submit with valid
>> captcha.
>>
>>
>> On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills <
>> contact@...erseskills.com> wrote:
>>
>>> The problem is to allow unlimited access to that resource, not the
>>> resource itself.
>>>
>>> 2011/3/15 Cal Leeming <cal@...whisper.co.uk>:
>>> > This conceptual flaw exists in most web apps which have a "reset
>>> password by
>>> > email address" feature, as most will display an error if the email
>>> address
>>> > does not exist in their database.
>>> >
>>> > On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills <
>>> contact@...erseskills.com>
>>> > wrote:
>>> >>
>>> >> Simple and easy way to get a list of email accounts used on Twitter.
>>> >> For Phishing campaigns, custom Spam...
>>> >>
>>> >> Twitter has been notified and I suppose someday be fixed if they think
>>> >> there should be filtered.
>>> >>
>>> >> When you create a new Twitter account, the form requesting a mailing
>>> >> address. Twitter verify that the email account is not being used, but
>>> >> does not check any user token or limit the usage (captcha/block).
>>> >>
>>> >> https://twitter.com/signup ->
>>> >> http://twitter.com/users/email_available?email=
>>> >>
>>> >> We just need to automate it with a simple script , ***Everything you
>>> >> do will be your responsibility***
>>> >> -------------------
>>> >> #!/usr/bin/python
>>> >> import sys, json, urllib2, os
>>> >>
>>> >> f =
>>> >> urllib2.urlopen("http://twitter.com/users/email_available?email=
>>> "+sys.argv[1])
>>> >> data = json.load(f)
>>> >> def valid()
>>> >> ..
>>> >> Email has already been taken" in data ["msg"] <-- reply
>>> >> ..
>>> >> -------------------
>>> >>
>>> >> We just need a list of users to test.. for example :
>>> >> http://twitter.com/about/employees  (don't be evil is just an
>>> >> example!)
>>> >> Parsing the name/nickname and testing the {user}@...tter.com a few
>>> >> minutes later we have a list of ~ 400 valid internal email
>>> >> *@...tter.com. An attacker could probably.. a brute force attack
>>> >> (Google Apps), would send Phishing or try to exploit some browser bugs
>>> >> or similar. #Aurora #Google. Most of these e-mail are internal, not
>>> >> public..
>>> >> There are also some that make you think they are used to such
>>> >> A-Directory system users :
>>> >> ..
>>> >> apache@...tter.com
>>> >> root@...tter.com
>>> >> mail@...tter.com
>>> >> ..
>>> >>
>>> >> But, if you download a database Rockyou / Singles.org / Gawker /
>>> >> Rootkit.com or just a typical dictionaries and domains will be quite
>>> >> easy to get hold of a list of users large enough (*@...mail.com,
>>> >> *@...il.com, etc).For example in my case I used to find user accounts
>>> >> in a pentest of a company that used Twitter. But probably not a good
>>> >> idea to allow unlimited access, a malicious user could use these user
>>> >> lists for Spam or Phishing.
>>> >>
>>> >> --
>>> >> Security Researcher
>>> >> http://twitter.com/revskills
>>> >> --
>>> >>
>>> >> _______________________________________________
>>> >> Full-Disclosure - We believe in it.
>>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> >> Hosted and sponsored by Secunia - http://secunia.com/
>>> >
>>> >
>>>
>>>
>>>
>>> --
>>> --
>>> Security Researcher
>>> http://twitter.com/revskills
>>> --
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ