HitB2012AMS: Whistling Over the WireFrank Breedijk
Arnauld is part of the Sogeti Red Team, who’s mission is to test the security of companies without pe-defined perimiters.
For the intelligance face of these test he often uses Facebook, because it is easy to do. Twitter is different from facebook because:
- Messages are shorter
- URLs are shorter
- Usernames are often less easily mapped to real people
In this presentation Arnauld want to show the following: If I have and name and a Twitter account, if it possible to access a targets computer, if so, how?
First Arnauld explains the fundamentals of Twitter and URL shortening services.
In order to achieve the objective he decided to create his own url shortning service and use this to hack users.
A URL services is very suitable because we can control the data users see and get sent a lot of interesting information for free.
He needed a lot of twitter accounts and had to overcome two problems:
- You need lots of unique email addresses
- You need to break the captcha
In order to op a lot of twitter accounts you need a lot of email accounts. Google is very helpful here because any dots in the account are ignored by twitter therefore email@example.com is the same as firstname.lastname@example.org to gmail, but different to twitter.
The mobile captcha of Twitter is far easier to crack then the non-mobile version, so this version was used. in order to make his users convincing, he needed floowers, there are a few ways to get them:
- Make bots and cross add
- Buy them ($5-$15 for 100 followers a.k.a. the Ligatt way)
- Get lists of followers and often follow back
- Tweet about iphone jailbreaks
On of the ways to solve this, is to look at the users facebook account. This can be done by the history extraction attack http://lcamtuf.coredump.cx
Arnauld shows us a demo of this attack scenario and redirects his targets to an attack page and owns his machine from here.
Why this way. Less risk, doesn;t break normal web experience, it is not clear who the target of the attack was.
Materials of the presentation available via http://conference.hitb.org/hitbsecconf2012ams/materials/
ABOUT ARNAULD MASCRET
Arnauld Mascret is a security researcher at Sogeti/ESEC since 2009. He has been working on information gathering on open sources and more specifically via social media.