Twitter trick - you can ask your readers to tweet about your post, but in fact send a DM. Example https://t.co/03nZRdP2xO
— Egor Homakov (@homakov) December 14, 2013
But you know what's really cool? ANY app can send a DM on behalf of your account, by sending to API "d NAME TEXT". I just tested with Twitpic, as you can see it doesn't require any DM permissions.
Why is it a bug?
1) App is supposed to have Read & Write permission to access DMs. With this shortcut you can bypass that protection
2) DMs are easier to use for spam. User will barely notice it.
3) Also DMs don't show if it was sent with official client or a 3rd party OAuth client. Which is great for phishing.
[no permission] https://dev.twitter.com/docs/api/1.1/post/direct_messages/new
[warns about permission] https://dev.twitter.com/docs/api/1.1/get/direct_messages/show
You hope this post justifies your recent chunk of messages to my account?ReplyDelete
sry bro, it waz gud find!:(Delete
verified that it works by sending you a DOGE by DM!ReplyDelete
Is this news? That is the classic syntax for DMs as it was when DM were introduced. Back then there was just one input field and everything had to fit in the 140 characters. No embedded images and shortened urls and stuff like that.ReplyDelete
Vulnerability is any oauth Client can send a DM with ability to send only regular tweets in public timeline. Client is supposed to get special permission to send DMs, which my hack bypasses.Delete
so just because you won't get paid means you can throw responsible disclosure right out the window?ReplyDelete
not always, given it's company like twitter, and they *intentionally* refuse to acknowledge guys with rewards.. It all doesn't matter because another guy said he reported it before and they refused to fix. OmgDelete
Are you kidding me @ Anonymous? It's already fine he reported the vulnerability; what else do you want? A PDF file that explain every bit of step?Delete
IIRC, the update to this post was posted after I made the comment, I think I can be forgiven for not knowing someone else had reported it.
That being said, rewards are a new-ish thing; for a long time, security researchers weren't rewarded with anything more than an acknowledgement. Occasionally, they'd be offered a job but more often than not, an acknowledgement is all they'd get.
To *expect* a reward is like a waitperson *expecting* a gratuity at a restaurant (where gratuities are common, that is). It's called a gratuity for a reason.
Responsible disclosure is the name of the game in security research; it doesn't take a whole lot of effort to wait a couple of days before reporting to the world at large.
It would've been nice to see industry-standard responsible disclosure being practiced. As a twitter user myself, suppose twitter really did care about this bug; I'd prefer it fixed before the world (including spammers) at large knows about it.
No more free bugs. Valuable find. If you aren't reimbursed for the value, why not do what you wish? Hippy.Delete
This comment has been removed by the author.Delete
@Anon If you expect a reward then get a job working for a security research company; otherwise, you are a volunteer and since when have volunteers been guaranteed reimbursement? And as for "do[ing] what you wish", I'm not even going to address that absurdity.Delete
Lulz @ security researchers are like wait staff. Author of comment obviously is not of sufficient logical capability to be a security researcher.Delete
@Anon I was equating the expectation of a gratuity as wait staff to the expectation of a monetary reward as a volunteer. I think they're pretty equivalent situations: both are voluntarily given by the other party in the situation and the receiving party has no grounds on which to complain about the amount, if any. Given the situation for OP, this is a fair comparison.Delete
Hard to believe it has been found only now, I'm sure someone knew this before you and made tens of thousands of dollars by exploiting the "flaw".ReplyDelete
It doesn't work any more. I tried with TwitpicReplyDelete
so is it fixed now ? can you confirm Egor.ReplyDelete
@Egor - Great find! keep it up, glad to see someone is willing to smack the PBR right out of the Twitter hipsters mitts!ReplyDelete
doesn't work anymore.ReplyDelete