back to article Dutch script kiddie pwns 20,000 Twitter profiles

A Dutch teenager successfully hijacked 20,000 Twitter profiles to post a message dissing their owners for being slack with security. Damien Reijnaers (@DamiaanR), 16, also induced his victims into tipping their hat to him for helping them to point out the error of their ways in the same update. He pulled off the trick by getting …

COMMENTS

This topic is closed for new posts.
Facepalm

tl;dr

B/c ppl hv attn spans of gnats.

1
3
Flame

Re: tl;dr

LOL@U U SPELT NATS RONG

2
2
Bronze badge

Re: tl;dr...B/c ppl hv attn spans of gnats.

Actually, some of my co-workers have only a 140 character attention span. Anything longer is treated as tl;dr.

1
0
Anonymous Coward

Re: tl;dr...B/c ppl hv attn spans of gnats.

Sorry, you were sayi... what was I doing here?

0
0
Black Helicopters

...verbose, complicated terms and conditions...

This application will be able to:

Post Tweets for you.

Those terms aren't verbose or complicated. There's no real conditions involved in that one. Yes, malicious users can have a field day if you authorize an untrusted source to publish information using your information. It becomes trivial at that point, since you've expressly authorized code you have zero control of from a developer you have zero knowledge of to have near complete access to your account.

The more and more people move to social media and feel it's okay to authorize whatever little crap they find to have complete access to the details of their account, the more and more you will see actions like this occur. Call me an old stick in the mud, but I rarely post any form of information sensitive to social media sites, and don't use many apps with them, because I do not like the authorizations required for most of them. In fact, I'm the same way with my phone. When some little game wants access to my contacts and ability to monitor phone calls, it is not installed.

This also has implications among law enforcement techniques, as well. If Farmville has complete, unfettered access to your Facebook and cell phone, what stops the feds from issuing a secret subpoena to Farmville to kill two birds with one stone?

7
0

Re: ...verbose, complicated terms and conditions...

Indeed, they are not complicated. To Joe Public, they say, "Argle Flargle. Fleen your ogglefloggle?" and they stop him from using the application until he clicks "OK", which of course he does.

13
0
Bronze badge

Re: ...verbose, complicated terms and conditions...

Too too true...the number of times I have tried to download a simple app only to have it ask me for permission to go into just about every part of the system for some undisclosed irrelevant reason. Strangely enough when I tell it to swivel the app won't run.....meh, plenty more fish in the sea*

* for younger viewers, it was once thought that there was an endless supply of fish. It now turns out that you need to leave some to let them make more fish.

9
0
Silver badge

Re: ...verbose, complicated terms and conditions...

I know people like to diss this "Joe Public" guy, but really, "post tweets on your behalf" is pretty damned simple to understand. If you don't know what posting a tweet is, what the hell are you doing on Twitter?

Methinks this prankster hit 20,000 people on the very low end of the bell curve.

4
0
Silver badge

Re: ...verbose, complicated terms and conditions...

I know people like to diss this "Joe Public" guy, but really, "post tweets on your behalf" is pretty damned simple to understand.

Not everybody knows where their behalf is or can imagine why somebody would want to post a tweet on it.

7
0
Thumb Up

Re: ...verbose, complicated terms and conditions...

If this makes one person pay attention to the permissions they grant things, it'll be a job well done in my book.

1
0

This post has been deleted by a moderator

142
WTF?

so where's the story here?

App uses permissions users granted it?

4
0
Silver badge
Paris Hilton

Yes

> Users who linked his app to their Twitter accounts were asked to grant the application permission to post updates.

So, they grant the application permission and the application posts?

Why is this considered a "hijacking"?

3
0
h3
Bronze badge

Dunno why anyone would want an application for Facebook / Twitter. All they seem to do is spam.

1
0
Bronze badge
Pint

@h3

Dunno why anyone would want Facebook / Twitter. All they seem to do is spam.

There you go...fixed it for you. Beer-thirty time!

6
5
Bronze badge

This is a difficult problem to solve because users simply don't have the time to pore through the often verbose, complicated terms and conditions or term of use statements attached to applications.

This is a difficult problem to solve because users simply don't have the time to pour through the often verbose, complicated terms and conditions or term of use statements attached to applications.

Fixed it.

0
7

Are you completely sure about that .... ?

9
0
Bronze badge
Thumb Up

Score one for DD!

http://www.dailywritingtips.com/poring-over-pore-and-pour/

0
1

I bet a good number of the 20K have antivirus installed and a firewall, other than the one on their router, running in the background.

"The most important part of a car is the nut behind the wheel!" analogy fits very well in this instance!

0
0
Holmes

Not sure but...

don't Twitter have a responsibility to police apps that use their API? Particularly when the developer has to obtain a key to use that API in the first place?

0
1
Anonymous Coward

What's the story?

So some people signed up to a service and allowed that service to have (easily revokable) access to their twitter account so it could tweet. Then the owner of that service used the permission they were granted to post a tweet. The only story is that the tweet wasn't particularly pleasant.

3
0
Bronze badge
Childcatcher

New Focus

I look at this as the early days of AV software (NO, don't start in on the heuristics versus signature argument!) in that this is an emerging area of concern for security folks. There are a few apps out there that scan for unnecessary permissions and the presence of adware, but the onus is still on the user to decide what to do about the potentially problematic apps. Sooner or later, we will see certain behaviors defined as malicious or unacceptable and blocked without user intervention.

On one hand, nothing is free and it seems reasonable to expect to deal with ads or other methods for the app developer to make some money off our downloads. On the other hand, one of the underpinnings of the use of apps paid for by data tracking and ads is informed consent.

0
0

Re: New Focus

I'd like an app that tells me which processes are going online.

Since Orange Fucked up my broadband 7 days ago I've plugged in a 56k modem for emergencys.

Amazing how often the "go online" box pops up these days!

0
0

How is this hijacking?

They shouldn't have allowed an app from a source they don't trust...he didn't hijack their accounts though, that would imply he gained control of the account, was able to log in as them etc.

1
1
(Written by Reg staff) Silver badge

Definition of hijacking is to take over something and use it for a different purpose. The victims expected it to do one thing, it did another. If that's not hijacking them I'm a banana.

C.

3
4
Bronze badge
Facepalm

?

"Definition of hijacking is to take over something and use it for a different purpose. The victims expected it to do one thing, it did another. If that's not hijacking them I'm a banana."

Wait, it's hijacking because it is missing the functionality of comparing Twitter accounts? So, if it did what the user expected by comparing profiles as well as what it did, it wouldn't be? This is exploiting, not hijacking.

The closest you get to the word "Hijack" in this regard is...

2. b : to subject to extortion or swindling

http://www.merriam-webster.com/dictionary/hijack

The closest you get to the word "Exploit" in this regard is...

2. to make use of meanly or unfairly for one's own advantage <exploiting migrant farm workers>

So, are you rotten or ripe?

3
2
Silver badge

@diodesign

Totally offtopic but considering how you Reg folks don't post that often...

Just wanted to say that the badge system implementation looks more impressive to me. I know plenty of web forums where the staff always gets the full load of "achievements" because well, they're the staff.

So seeing a bronze badge behind your name tells me that you guys like to play by the same rules you laid out, which IMO is recommendable. Just saying.

And now back to our regular program...

0
0
Anonymous Coward

Plaintive plantain

"...Definition of hijacking is to take over something and use it for a different purpose. The victims expected it to do one thing, it did another. If that's not hijacking them I'm a banana..."

Good morning, Mr. Fyffe. May I just say how fantastically curved and yellow you're looking today!

Yesterday a tramp asked me for some money for a "cup of tea". After voluntarily handing over said coinage, I subsequently observed him using it to buy a can of "Old BallBaggers Liver-Crippler" extra strength lager instead. Oh noes! I must immediately hotfoot it down to my local nick and report that I have been the victim of a hijacking!

3
1

Pown?

"Definition of hijacking is to take over something and use it for a different purpose."

This kid hasn't taken over anything, He doesn't own the phone or the twitter account. Just turn his app off.

1
1
(Written by Reg staff) Silver badge

Re: Pown?

Perhaps you would have preferred "joyride" to "hijack", then? Thanks anyway for the feedback. We'll have to agree to disagree.

C.

1
1

twitter is the worst

the other thing is linkedin. most competent people dont bother with it. but there is a hard core of linkedin users who want you to believe that they are employable. they are doing this by getting their agents into prominent media positions to forward the linkedin agenda telling you that you are scum for not being on it.

but twitter is like that but without the aspect of anyone getting a job at the end of it. pure evil.

0
0

"Talk sense to a fool and he calls you foolish" - Euripides

2
0
Thumb Down

Still better than LinkedIn

LinkedIn is even (shocking!) directly asking for your mail password to access your contacts (and so propose connections).

At least Twitter has a decent OAuth authorization scheme (though that still doesn't help, as the article shows).

0
0
This topic is closed for new posts.

Forums