CSRF Vulnerability in Twitter Allows Forced Following

Outsmart Malicious Hackers


I did mention this earlier in the week when I was talking about Twitter being used as a malware distribution platform, there also seems to be an auto follow vulnerability that spammers would love.

Do you remember Myspace and samy with 900,000 friends? Now we have johng77536 on Twitter!

Last week, TechCrunch’s Jason Kincaid wrote about an obvious Twitter vulnerability that allowed a user called “johng77536? to game the popular micro-blogging service to add thousands of followers (subscribers) in a short period of time.

The “johng77536? account has since been disabled but a security researcher tracking Twitter security flaws and weaknesses has discovered a new vulnerability that lets users easily game the “follow” system.

Whoever used this account was pretty stupid though hooking 7000 followers in a day, that raised some alarms for sure and now the account has been deleted.

I would guess however hundreds of other spammers are using the same technique in a much slower fashion to avoid detection. So watch out if you use Twitter you aren’t following some odd accounts that you didn’t manually subscribe to.

Raff showed me a proof-of-concept exploit that took advantage of a CSRF (cross site request forgery) bug to trick me into following his Twitter account by simply clicking on a rigged Web site. A spammer or phisher could abuse this vulnerability to gain thousands of “followers” and attempt social engineering attacks.

Twitter’s security team has promised a fix within 24 hours.

Raff’s discovery isn’t the first. He has assisted Twitter with fixing another bug that could be abused to send spam mails with malicious links. Several Twitter cross-site scripting bugs have also been found and fixed.

Twitter is actually a fairly simple service so I’m surprised they have so many issues.

I guess it’s the nature of any site that has POST/GET requests and especially those that use AJAX and aren’t aware of the security implications.

Tokens are important people, use them!

Source: Zdnet

Posted in: Hacking News

, , , , , , , ,


Latest Posts:


OWASP ZSC - Obfuscated Code Generator Tool OWASP ZSC – Obfuscated Code Generator Tool
OWASP ZSC is an open source obfuscated code generator tool in Python which lets you generate customized shellcodes and convert scripts to an obfuscated script.
A Look Back At 2017 – Tools & News Highlights A Look Back At 2017 – Tools & News Highlights
So here we are in 2018, taking a look back at 2017, quite a year it was. Here is a quick rundown of some of the best hacking/security tools released in 2017, the biggest news stories and the 10 most viewed posts on Darknet as a bonus.
Spectre & Meltdown Checker - Vulnerability Mitigation Tool For Linux Spectre & Meltdown Checker – Vulnerability Mitigation Tool For Linux
Spectre & Meltdown Checker is a simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Hijacker - Reaver For Android Wifi Hacker App Hijacker – Reaver For Android Wifi Hacker App
Hijacker is a native GUI which provides Reaver for Android along with Aircrack-ng, Airodump-ng and MDK3 making it a powerful Wifi hacker app.
Sublist3r - Fast Python Subdomain Enumeration Tool Sublist3r – Fast Python Subdomain Enumeration Tool
Sublist3r is a Python-based tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
coWPAtty Download - Audit Pre-shared WPA Keys coWPAtty Download – Audit Pre-shared WPA Keys
coWPAtty is a C-based tool for running a brute-force dictionary attack against WPA-PSK and audit pre-shared WPA keys.


4 Responses to CSRF Vulnerability in Twitter Allows Forced Following

  1. Flux September 11, 2008 at 5:28 pm #

    I hope twitter can get this problem fixed, it seems to cause some issues.

  2. Goodpeople September 22, 2008 at 7:57 am #

    Three Golden rules regarding Social Networks.

    1. Don’t use them
    2. Don’t subscribe to them
    3. Never log on to them

    (free after Robert Morris)

  3. Navin September 23, 2008 at 12:35 pm #

    I guess Rule 1 is the golden rule for social networking fanatics!!

  4. Pantagruel September 24, 2008 at 6:48 am #

    Free after Goodpeople ;)

    1. Scout out a pub/bar
    2. entice the intended target
    3. Buy him/her a beer/whine/cider
    4. enjoy the real world face to face