Twitter DM character limit liberation spells opportunity for botnets
Direct message command and control hides in the walla walla rhubarb.
London security researcher Paul Amar has built a tool capable of exploiting Twitter's extended direct messaging function for covert botnet command and control.
Amar created Twittor which allows attackers of white or black hats to create a fleet of compromised machines that can communicate, receive instructions, and update over the social network.
Twitter removed its 140 character limit for private direct messages between accounts in August.
It's a stealthy attack, since the Twittor command-and-control network traffic looks the same as legitimate tweeting, so bots are hard to seek out and destroy, Amar says.
|A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.
I mostly wanted to create a PoC after Twitter decided to remove the 140 characters limit for the Direct Messages. Few stuff should be added such as Encryption (Adding AES on top of it).
Twittor bots are limited to 100 direct messages a day. New bots can be created with additional accounts however.
The Python based Twittor can be downloaded on Github.
Amar has published other tools included a cross-site request forgery hacking toolkit and contributed to a Shodan Firefox extension. ®
Bootnote: Walla and rhubarb are the retrospective US and British terms in the media industry given to indistinct background chatter on TV and radio.