Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- The Twitter API contains a private endpoint that can be abused to send arbitrary text messages
- ----------------------------------------------------------------------------------------------
- 2015-04-28
- 1. get "Twitter for iPhone" consumer tokens, available on the web like here https://gist.github.com/rhenium/3878505
- 2. use the XAuth flow https://dev.twitter.com/oauth/xauth to get access tokens valid for some user, say @nst022
- 3. POST an OAuth signed request to https://api.twitter.com/1.1/device/register.json with the following parameters:
- raw_phone_number: +41764448212
- text_message: Dahu
- where "Dahu" can be an arbitrary message.
- 4. the phone number used at point 3 receives a text message that reads "Dahu", plus a code
- Here is a 23 seconds video that makes this scenario more visual: https://www.dropbox.com/s/4yzsfi8fnsrm3y5/twitter_api_abuse.mov?dl=0
- You can reproduce the very same thing by using, say, STTwitter for OS X https://github.com/nst/STTwitter#demo--test-project
- I can see two issues here:
- a) this API endpoint can be used to harass people
- b) this API endpoint can be used to trick victims into believing that the SMS was sent by Twitter and make them open a malicious URL or follow a malicious process
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement