with services like decaptcher and deathbycaptcha this would not be a hindrance anyway
2011/3/15 Cal Leeming <[email protected]> > Agreed. These public API methods should have brute force protection at the > very least. But, because they want instant in-line form validation for email > address availability, this makes it difficult. In an ideal world, they'd > have a CAPTCHA on the form, and only validate upon submit with valid > captcha. > > > On Tue, Mar 15, 2011 at 3:02 PM, Reverse Skills <[email protected] > > wrote: > >> The problem is to allow unlimited access to that resource, not the >> resource itself. >> >> 2011/3/15 Cal Leeming <[email protected]>: >> > This conceptual flaw exists in most web apps which have a "reset >> password by >> > email address" feature, as most will display an error if the email >> address >> > does not exist in their database. >> > >> > On Tue, Mar 15, 2011 at 12:19 PM, Reverse Skills < >> [email protected]> >> > wrote: >> >> >> >> Simple and easy way to get a list of email accounts used on Twitter. >> >> For Phishing campaigns, custom Spam... >> >> >> >> Twitter has been notified and I suppose someday be fixed if they think >> >> there should be filtered. >> >> >> >> When you create a new Twitter account, the form requesting a mailing >> >> address. Twitter verify that the email account is not being used, but >> >> does not check any user token or limit the usage (captcha/block). >> >> >> >> https://twitter.com/signup -> >> >> http://twitter.com/users/email_available?email= >> >> >> >> We just need to automate it with a simple script , ***Everything you >> >> do will be your responsibility*** >> >> ------------------- >> >> #!/usr/bin/python >> >> import sys, json, urllib2, os >> >> >> >> f = >> >> urllib2.urlopen("http://twitter.com/users/email_available?email= >> "+sys.argv[1]) >> >> data = json.load(f) >> >> def valid() >> >> .. >> >> Email has already been taken" in data ["msg"] <-- reply >> >> .. >> >> ------------------- >> >> >> >> We just need a list of users to test.. for example : >> >> http://twitter.com/about/employees (don't be evil is just an >> >> example!) >> >> Parsing the name/nickname and testing the {user}@twitter.com a few >> >> minutes later we have a list of ~ 400 valid internal email >> >> *@twitter.com. An attacker could probably.. a brute force attack >> >> (Google Apps), would send Phishing or try to exploit some browser bugs >> >> or similar. #Aurora #Google. Most of these e-mail are internal, not >> >> public.. >> >> There are also some that make you think they are used to such >> >> A-Directory system users : >> >> .. >> >> [email protected] >> >> [email protected] >> >> [email protected] >> >> .. >> >> >> >> But, if you download a database Rockyou / Singles.org / Gawker / >> >> Rootkit.com or just a typical dictionaries and domains will be quite >> >> easy to get hold of a list of users large enough (*@hotmail.com, >> >> *@gmail.com, etc).For example in my case I used to find user accounts >> >> in a pentest of a company that used Twitter. But probably not a good >> >> idea to allow unlimited access, a malicious user could use these user >> >> lists for Spam or Phishing. >> >> >> >> -- >> >> Security Researcher >> >> http://twitter.com/revskills >> >> -- >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > >> >> >> >> -- >> -- >> Security Researcher >> http://twitter.com/revskills >> -- >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
