I actually never backup my tweets (nothing of value would be lost), and never intend to, but for the sake of posting something I’ve said I’d give it a go.

I’m gonna perform the backup from the command line (like a true magician) without using the twitter API, so only public tweets will be backed up.

Ok, first we need to know the number of tweets we are going to back up (in my case 630) and divide that number by 20 (the number of tweets per page) rounding up the result. In simple math:

630 / 20 = 31.5 ~ 32

Now we know my tweets are distributed on 32 pages.
Next we retrieve the 32 different pages via wget. First variant is from a Windows terminal:

for /L %i in (1,1,32) do @wget http://twitter.com/username?page=%i

The for trick is something I learned from the command line kung fu blog. It will iterate from 1 to 32 and store the value in the %i variable. Oh, and before you hit enter don’t forget to replace the username with your actual twitter username.

The Linux version is just a transcription of the above command:

for (i=0; i<32; i++); do `wget http://twitter.com/username?page=$i`; done

Hopefully I nailed it; didn't actually test the Linux command but it should work. If not, just leave me a comment with the correction.

As the rest goes, it's just simple regular expression matching and replacing (format a bit the end result).

grep -o -P "<span class=\"entry-content\">(.*?)</span>" * > brute.html
sed "s/<span class=\"entry-content\">//g" brute.html | sed "s/<\/span>/<br><br>/g" > final.html

After executing the last two commands you should have your tweets stored in the final.html file.

Due to this direction that Twitter is adopting (involuntarily) dozens of web applications have sprung up; from url shortening services to web applications like: WeFollow, TwitterSheep, TwitterTag, TwitVid, YFrog, TwitPic and many more…

Anyway, we’re going to talk about TwitPic… Among some annoyances it comes with; like: using HTTP even if SSL certificate is available, requesting username/password instead of using OAuth; recently (or at least I noticed yesterday and the blog didn’t work for me now) it implemented a more than annoying feature.

What’s wrong?

If you are using TwitPic you may notice that on the upload page there is a notice after the upload form, and I quote (partially, because I don’t want my account to be spammed):

Did you know you can post photos from your phone?
Just send your photos to
dblackshell.1768@twitpic.com

You can use the Subject line of the email to send a message along with your photo

A series of issues arise from this point onwards:

1. TwitPic stores usernames and passwords somewhere in plain text for Basic Auth authentication and tweeting when contacted via email.

2. The email option cannot be deactivated. Once you’ve logged to TwitPic you’re already vulnerable in a smaller or larger percentage.

3. The generated email address is of the format twitter_username.xxxx@twitpic.com, where xxxx is in a numeric format.

And how is that wrong?

It depends. On a targeted attack someone wouldn’t mind putting some effort in it. There are enough free hosting services out there which give you email sending functionality (restricted by a daily number thou), so mass mailing would be an option. Or welcome…

CSRF!

The setting page is CSRFeable, so setting a desired PIN (the 4 number digit) by the attacker isn’t out of the question.

How could this be beneficial for an attacker?

If you’re asking this question, maybe you should do more research on how influential people may be helpful for someone with obscure intentions.

• Would you click on a link Obama would post?
• What if I would have posted that tweet (assuming he ever used TwitPic)?
• What if on the landing page would be a Adobe Reader (it’s in vogue) exploit, browser exploit or some gay nigga porn (just for the lulz)?

p.s. If you were logged into TwitPic at the moment you visited this page, feel free to share you twitter username :)