Twitter trick - you can ask your readers to tweet about your post, but in fact send a DM. Example https://t.co/03nZRdP2xO
— Egor Homakov (@homakov) December 14, 2013
But you know what's really cool? ANY app can send a DM on behalf of your account, by sending to API "d NAME TEXT". I just tested with Twitpic, as you can see it doesn't require any DM permissions.
Why is it a bug?
1) App is supposed to have Read & Write permission to access DMs. With this shortcut you can bypass that protection
2) DMs are easier to use for spam. User will barely notice it.
3) Also DMs don't show if it was sent with official client or a 3rd party OAuth client. Which is great for phishing.
API docs:
[no permission] https://dev.twitter.com/docs/api/1.1/post/direct_messages/new
[warns about permission] https://dev.twitter.com/docs/api/1.1/get/direct_messages/show
You hope this post justifies your recent chunk of messages to my account?
ReplyDeletesry bro, it waz gud find!:(
Deleteverified that it works by sending you a DOGE by DM!
ReplyDeleteIs this news? That is the classic syntax for DMs as it was when DM were introduced. Back then there was just one input field and everything had to fit in the 140 characters. No embedded images and shortened urls and stuff like that.
ReplyDeleteVulnerability is any oauth Client can send a DM with ability to send only regular tweets in public timeline. Client is supposed to get special permission to send DMs, which my hack bypasses.
Deleteso just because you won't get paid means you can throw responsible disclosure right out the window?
ReplyDeletenot always, given it's company like twitter, and they *intentionally* refuse to acknowledge guys with rewards.. It all doesn't matter because another guy said he reported it before and they refused to fix. Omg
DeleteAre you kidding me @ Anonymous? It's already fine he reported the vulnerability; what else do you want? A PDF file that explain every bit of step?
Delete@Egor
DeleteIIRC, the update to this post was posted after I made the comment, I think I can be forgiven for not knowing someone else had reported it.
That being said, rewards are a new-ish thing; for a long time, security researchers weren't rewarded with anything more than an acknowledgement. Occasionally, they'd be offered a job but more often than not, an acknowledgement is all they'd get.
To *expect* a reward is like a waitperson *expecting* a gratuity at a restaurant (where gratuities are common, that is). It's called a gratuity for a reason.
Responsible disclosure is the name of the game in security research; it doesn't take a whole lot of effort to wait a couple of days before reporting to the world at large.
@Anon
It would've been nice to see industry-standard responsible disclosure being practiced. As a twitter user myself, suppose twitter really did care about this bug; I'd prefer it fixed before the world (including spammers) at large knows about it.
No more free bugs. Valuable find. If you aren't reimbursed for the value, why not do what you wish? Hippy.
DeleteThis comment has been removed by the author.
Delete@Anon If you expect a reward then get a job working for a security research company; otherwise, you are a volunteer and since when have volunteers been guaranteed reimbursement? And as for "do[ing] what you wish", I'm not even going to address that absurdity.
DeleteLulz @ security researchers are like wait staff. Author of comment obviously is not of sufficient logical capability to be a security researcher.
Delete@Anon I was equating the expectation of a gratuity as wait staff to the expectation of a monetary reward as a volunteer. I think they're pretty equivalent situations: both are voluntarily given by the other party in the situation and the receiving party has no grounds on which to complain about the amount, if any. Given the situation for OP, this is a fair comparison.
DeleteHard to believe it has been found only now, I'm sure someone knew this before you and made tens of thousands of dollars by exploiting the "flaw".
ReplyDeleteIt doesn't work any more. I tried with Twitpic
ReplyDeleteso is it fixed now ? can you confirm Egor.
ReplyDelete@Egor - Great find! keep it up, glad to see someone is willing to smack the PBR right out of the Twitter hipsters mitts!
ReplyDeletedoesn't work anymore.
ReplyDeletewhy?
Delete