Dutch script kiddie pwns 20,000 Twitter profiles
How much do you have in common with the other lusers?
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
A Dutch teenager successfully hijacked 20,000 Twitter profiles to post a message dissing their owners for being slack with security.
Damien Reijnaers (@DamiaanR), 16, also induced his victims into tipping their hat to him for helping them to point out the error of their ways in the same update. He pulled off the trick by getting victims to sign up to a supposed profile comparison tool for daters called Pas jij bij mij? (Do you match with me?) ... Users who linked his app to their Twitter accounts were asked to grant the application permission to post updates.
The small print (as shown in Twitter's illustration of Twitpic's permissions screen) isn't even that small...
This ability was explained in the not-so-small print Twitter requires when users authorise a third-party application - something the victims apparently failed to heed, according to Dutch media reports. RTL Nieuws adds that Reijnaers previously uncovered a Facebook security flaw three years ago, aged only 13.
The update (example here), posted on Thursday morning, said:
Hoe slecht gaan mensen met hun twitter account om... groetjes, Damiaan Reijnaers. @NUnl @telegraaf @tweakers @nos @geen_stijl @volkskrant
This translates to "How badly people manage their Twitter accounts... Regards, Damien Reijnaers."
A quick search reveals that several hundred Twitter profiles, at least, were induced to make the update.
The prank does illustrate a wider privacy problem in both social media and mobile apps. Many request permissions they don't strictly need to perform their core functionality and these permissions can be abused, threatening user privacy in the process.
This is a difficult problem to solve because users simply don't have the time to pore through the often verbose, complicated terms and conditions or term of use statements attached to applications. Simple summaries in plain English (or Dutch) may help, but many users are likely to ignore even these. ®
COMMENTS
Re: ...verbose, complicated terms and conditions...
Indeed, they are not complicated. To Joe Public, they say, "Argle Flargle. Fleen your ogglefloggle?" and they stop him from using the application until he clicks "OK", which of course he does.
Re: ...verbose, complicated terms and conditions...
Too too true...the number of times I have tried to download a simple app only to have it ask me for permission to go into just about every part of the system for some undisclosed irrelevant reason. Strangely enough when I tell it to swivel the app won't run.....meh, plenty more fish in the sea*
* for younger viewers, it was once thought that there was an endless supply of fish. It now turns out that you need to leave some to let them make more fish.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
