daily pastebin goal


a guest Mar 15th, 2011 1,989 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Simple and easy way to get a list of email accounts used on Twitter. For Phishing campaigns, custom Spam...
  3. Twitter has been notified and I suppose someday be fixed if they think there should be filtered.
  5. When you create a new Twitter account, the form requesting a mailing address. Twitter verify that the email account is not being used, but does not check any user token or limit the usage (captcha/block).
  7. https://twitter.com/signup -> http://twitter.com/users/email_available?email=
  9. We just need to automate it with a simple script , ***Everything you do will be your responsibility***
  10. -------------------
  11. #!/usr/bin/python
  12. import sys, json, urllib2, os
  14. f = urllib2.urlopen("http://twitter.com/users/email_available?email="+sys.argv[1])
  15. data = json.load(f)
  16. def valid()
  17. ..
  18. Email has already been taken" in data ["msg"] <-- reply
  19. ..
  20. -------------------
  22. We just need a list of users to test.. for example : http://twitter.com/about/employees  (don't be evil is just an example!)
  23. Parsing the name/nickname and testing the {user}@twitter.com a few minutes later we have a list of ~ 400 valid internal email  *@twitter.com. An attacker could probably.. a brute force attack (Google Apps), would send Phishing or try to exploit some browser bugs or similar. #Aurora #Google. Most of these e-mail are internal, not public..
  24. There are also some that make you think they are used to such A-Directory system users :
  25. ..
  26. apache@twitter.com
  27. root@twitter.com
  28. mail@twitter.com
  29. ..
  31. But, if you download a database Gawker / Rootkit.com or just a typical dictionaries and domains will be quite easy to get a huge list of valid users (*@hotmail.com, *@gmail.com, etc).For example in my case I used to find user accounts in a pentest of a company that used Twitter. But probably not a good idea to allow unlimited access, a malicious user could use these user lists for Spam or Phishing.
  33. --
  34. Security Researcher
  35. http://twitter.com/revskills
  36. --
RAW Paste Data