«
»

TwitPic – modern Twitter backdoor

For those of you who don’t use Twitter I should specify that Twitter has long time moved away from “what are you doing” principle and today is more of a base framework (Twitter API) for many new (and innovative?) web applications.

Due to this direction that Twitter is adopting (involuntarily) dozens of web applications have sprung up; from url shortening services to web applications like: WeFollow, TwitterSheep, TwitterTag, TwitVid, YFrog, TwitPic and many more…


Anyway, we’re going to talk about TwitPic… Among some annoyances it comes with; like: using HTTP even if SSL certificate is available, requesting username/password instead of using OAuth; recently (or at least I noticed yesterday and the blog didn’t work for me now) it implemented a more than annoying feature.

What’s wrong?

If you are using TwitPic you may notice that on the upload page there is a notice after the upload form, and I quote (partially, because I don’t want my account to be spammed):

Did you know you can post photos from your phone?
Just send your photos to
dblackshell.1768@twitpic.com

You can use the Subject line of the email to send a message along with your photo

A series of issues arise from this point onwards:

1. TwitPic stores usernames and passwords somewhere in plain text for Basic Auth authentication and tweeting when contacted via email.

2. The email option cannot be deactivated. Once you’ve logged to TwitPic you’re already vulnerable in a smaller or larger percentage.

3. The generated email address is of the format twitter_username.xxxx@twitpic.com, where xxxx is in a numeric format.

And how is that wrong?

It depends. On a targeted attack someone wouldn’t mind putting some effort in it. There are enough free hosting services out there which give you email sending functionality (restricted by a daily number thou), so mass mailing would be an option. Or welcome…

CSRF!

The setting page is CSRFeable, so setting a desired PIN (the 4 number digit) by the attacker isn’t out of the question.

How could this be beneficial for an attacker?

If you’re asking this question, maybe you should do more research on how influential people may be helpful for someone with obscure intentions.

  • Would you click on a link Obama would post?
  • What if I would have posted that tweet (assuming he ever used TwitPic)?
  • What if on the landing page would be a Adobe Reader (it’s in vogue) exploit, browser exploit or some gay nigga porn (just for the lulz)?

p.s. If you were logged into TwitPic at the moment you visited this page, feel free to share you twitter username :)

Posted in News,Research
Tags: ,


One Response to “TwitPic – modern Twitter backdoor”


  1. Social Media Security » MoTB #06: Multiple vulnerabilities in TwitPic says:
    July 23, 2009 at 2:54 am

    [...] Vulnerabilities 1) Cross-Site Request Forgery in the Email PIN Settings page.Status: Patched.Details: This vulnerability was reported by dblackshell. See dblackshell’s advisory for more details: http://insanesecurity.info/blog/twitpic-modern-twitter-backdoor [...]


Leave a Reply