HitB2012AMS: Whistling Over the Wire

Not getting Involved – A CC NC image by Tarik Browne
By Arnauld Mascret (Security Researcher, SogeL / ESEC)

Arnauld is part of the Sogeti Red Team, who’s mission is to test the security of companies without pe-defined perimiters.

For the intelligance face of these test he often uses Facebook, because it is easy to do. Twitter is different from facebook because:
  • Messages are shorter
  • URLs are shorter
  • Usernames are often less easily mapped to real people

In this presentation Arnauld want to show the following: If I have and name and a Twitter account, if it possible to access a targets computer, if so, how?

First Arnauld explains the fundamentals of Twitter and URL shortening services.

When you look as hortening services you see the most use 301 and 302 redirection, 1 uses meta and javascript (t.co) and 2 use links.

In order to achieve the objective he decided to create his own url shortning service and use this to hack users.

A URL services is very suitable because we can control the data users see and get sent a lot of interesting information for free.

He needed a lot of twitter accounts and had to overcome two problems:
  • You need lots of unique email addresses
  • You need to break the captcha

In order to op a lot of twitter accounts you need a lot of email accounts. Google is very helpful here because any dots in the account are ignored by twitter therefore xxxxx.yyyyy@gmail.com is the same as x.xxxx.y.yyyy@gmail.com to gmail, but different to twitter.

The mobile captcha of Twitter is far easier to crack then the non-mobile version, so this version was used. in order to make his users convincing, he needed floowers, there are a few ways to get them:
  • Make bots and cross add
  • Buy them ($5-$15 for 100 followers a.k.a. the Ligatt way)
  • Get lists of followers and often follow back
  • Tweet about iphone jailbreaks
If you have everything setup the hardest way is to identify your target among all the different twitter users.

On of the ways to solve this, is to look at the users facebook account. This can be done by the history extraction attack http://lcamtuf.coredump.cx

Arnauld shows us a demo of this attack scenario and redirects his targets to an attack page and owns his machine from here.


Why this way. Less risk, doesn;t break normal web experience, it is not clear who the target of the attack was.

Materials of the presentation available via http://conference.hitb.org/hitbsecconf2012ams/materials/


Arnauld Mascret is a security researcher at Sogeti/ESEC since 2009. He has been working on information gathering on open sources and more specifically via social media.


Not Published

0/1000 characters
Go Top