Dutch script kiddie pwns 20,000 Twitter profiles
How much do you have in common with the other lusers?
A Dutch teenager successfully hijacked 20,000 Twitter profiles to post a message dissing their owners for being slack with security.
Damien Reijnaers (@DamiaanR), 16, also induced his victims into tipping their hat to him for helping them to point out the error of their ways in the same update. He pulled off the trick by getting victims to sign up to a supposed profile comparison tool for daters called Pas jij bij mij? (Do you match with me?) ... Users who linked his app to their Twitter accounts were asked to grant the application permission to post updates.
The small print (as shown in Twitter's illustration of Twitpic's permissions screen) isn't even that small...
This ability was explained in the not-so-small print Twitter requires when users authorise a third-party application - something the victims apparently failed to heed, according to Dutch media reports. RTL Nieuws adds that Reijnaers previously uncovered a Facebook security flaw three years ago, aged only 13.
The update (example here), posted on Thursday morning, said:
Hoe slecht gaan mensen met hun twitter account om... groetjes, Damiaan Reijnaers. @NUnl @telegraaf @tweakers @nos @geen_stijl @volkskrant
This translates to "How badly people manage their Twitter accounts... Regards, Damien Reijnaers."
A quick search reveals that several hundred Twitter profiles, at least, were induced to make the update.
The prank does illustrate a wider privacy problem in both social media and mobile apps. Many request permissions they don't strictly need to perform their core functionality and these permissions can be abused, threatening user privacy in the process.
This is a difficult problem to solve because users simply don't have the time to pore through the often verbose, complicated terms and conditions or term of use statements attached to applications. Simple summaries in plain English (or Dutch) may help, but many users are likely to ignore even these. ®