back to article Dutch script kiddie pwns 20,000 Twitter profiles

A Dutch teenager successfully hijacked 20,000 Twitter profiles to post a message dissing their owners for being slack with security. Damien Reijnaers (@DamiaanR), 16, also induced his victims into tipping their hat to him for helping them to point out the error of their ways in the same update. He pulled off the trick by …

COMMENTS

This topic is closed for new posts.
  1. Michael Hawkes
    Facepalm

    tl;dr

    B/c ppl hv attn spans of gnats.

    1. CADmonkey
      Flame

      Re: tl;dr

      LOL@U U SPELT NATS RONG

    2. Fatman

      Re: tl;dr...B/c ppl hv attn spans of gnats.

      Actually, some of my co-workers have only a 140 character attention span. Anything longer is treated as tl;dr.

      1. Anonymous Coward
        Anonymous Coward

        Re: tl;dr...B/c ppl hv attn spans of gnats.

        Sorry, you were sayi... what was I doing here?

  2. Vin King
    Black Helicopters

    ...verbose, complicated terms and conditions...

    This application will be able to:

    Post Tweets for you.

    Those terms aren't verbose or complicated. There's no real conditions involved in that one. Yes, malicious users can have a field day if you authorize an untrusted source to publish information using your information. It becomes trivial at that point, since you've expressly authorized code you have zero control of from a developer you have zero knowledge of to have near complete access to your account.

    The more and more people move to social media and feel it's okay to authorize whatever little crap they find to have complete access to the details of their account, the more and more you will see actions like this occur. Call me an old stick in the mud, but I rarely post any form of information sensitive to social media sites, and don't use many apps with them, because I do not like the authorizations required for most of them. In fact, I'm the same way with my phone. When some little game wants access to my contacts and ability to monitor phone calls, it is not installed.

    This also has implications among law enforcement techniques, as well. If Farmville has complete, unfettered access to your Facebook and cell phone, what stops the feds from issuing a secret subpoena to Farmville to kill two birds with one stone?

    1. Steve the Cynic

      Re: ...verbose, complicated terms and conditions...

      Indeed, they are not complicated. To Joe Public, they say, "Argle Flargle. Fleen your ogglefloggle?" and they stop him from using the application until he clicks "OK", which of course he does.

      1. Kevin Johnston

        Re: ...verbose, complicated terms and conditions...

        Too too true...the number of times I have tried to download a simple app only to have it ask me for permission to go into just about every part of the system for some undisclosed irrelevant reason. Strangely enough when I tell it to swivel the app won't run.....meh, plenty more fish in the sea*

        * for younger viewers, it was once thought that there was an endless supply of fish. It now turns out that you need to leave some to let them make more fish.

      2. M Gale

        Re: ...verbose, complicated terms and conditions...

        I know people like to diss this "Joe Public" guy, but really, "post tweets on your behalf" is pretty damned simple to understand. If you don't know what posting a tweet is, what the hell are you doing on Twitter?

        Methinks this prankster hit 20,000 people on the very low end of the bell curve.

        1. Ole Juul

          Re: ...verbose, complicated terms and conditions...

          I know people like to diss this "Joe Public" guy, but really, "post tweets on your behalf" is pretty damned simple to understand.

          Not everybody knows where their behalf is or can imagine why somebody would want to post a tweet on it.

      3. edge_e
        Thumb Up

        Re: ...verbose, complicated terms and conditions...

        If this makes one person pay attention to the permissions they grant things, it'll be a job well done in my book.

  3. 142
    WTF?

    so where's the story here?

    App uses permissions users granted it?

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Yes

      > Users who linked his app to their Twitter accounts were asked to grant the application permission to post updates.

      So, they grant the application permission and the application posts?

      Why is this considered a "hijacking"?

  4. h3

    Dunno why anyone would want an application for Facebook / Twitter. All they seem to do is spam.

    1. ItsNotMe
      Pint

      @h3

      Dunno why anyone would want Facebook / Twitter. All they seem to do is spam.

      There you go...fixed it for you. Beer-thirty time!

  5. Alistair

    This is a difficult problem to solve because users simply don't have the time to pore through the often verbose, complicated terms and conditions or term of use statements attached to applications.

    This is a difficult problem to solve because users simply don't have the time to pour through the often verbose, complicated terms and conditions or term of use statements attached to applications.

    Fixed it.

    1. David Dawson

      Are you completely sure about that .... ?

      1. ItsNotMe
        Thumb Up

        Score one for DD!

        http://www.dailywritingtips.com/poring-over-pore-and-pour/

  6. Adze

    I bet a good number of the 20K have antivirus installed and a firewall, other than the one on their router, running in the background.

    "The most important part of a car is the nut behind the wheel!" analogy fits very well in this instance!

  7. Tim Brown 1
    Holmes

    Not sure but...

    don't Twitter have a responsibility to police apps that use their API? Particularly when the developer has to obtain a key to use that API in the first place?

  8. Anonymous Coward
    Anonymous Coward

    What's the story?

    So some people signed up to a service and allowed that service to have (easily revokable) access to their twitter account so it could tweet. Then the owner of that service used the permission they were granted to post a tweet. The only story is that the tweet wasn't particularly pleasant.

  9. Robert Helpmann??
    Childcatcher

    New Focus

    I look at this as the early days of AV software (NO, don't start in on the heuristics versus signature argument!) in that this is an emerging area of concern for security folks. There are a few apps out there that scan for unnecessary permissions and the presence of adware, but the onus is still on the user to decide what to do about the potentially problematic apps. Sooner or later, we will see certain behaviors defined as malicious or unacceptable and blocked without user intervention.

    On one hand, nothing is free and it seems reasonable to expect to deal with ads or other methods for the app developer to make some money off our downloads. On the other hand, one of the underpinnings of the use of apps paid for by data tracking and ads is informed consent.

    1. mark 63 Silver badge

      Re: New Focus

      I'd like an app that tells me which processes are going online.

      Since Orange Fucked up my broadband 7 days ago I've plugged in a 56k modem for emergencys.

      Amazing how often the "go online" box pops up these days!

  10. danieltharris

    How is this hijacking?

    They shouldn't have allowed an app from a source they don't trust...he didn't hijack their accounts though, that would imply he gained control of the account, was able to log in as them etc.

    1. diodesign (Written by Reg staff) Silver badge

      Definition of hijacking is to take over something and use it for a different purpose. The victims expected it to do one thing, it did another. If that's not hijacking them I'm a banana.

      C.

      1. Anonymous Coward
        Facepalm

        ?

        "Definition of hijacking is to take over something and use it for a different purpose. The victims expected it to do one thing, it did another. If that's not hijacking them I'm a banana."

        Wait, it's hijacking because it is missing the functionality of comparing Twitter accounts? So, if it did what the user expected by comparing profiles as well as what it did, it wouldn't be? This is exploiting, not hijacking.

        The closest you get to the word "Hijack" in this regard is...

        2. b : to subject to extortion or swindling

        http://www.merriam-webster.com/dictionary/hijack

        The closest you get to the word "Exploit" in this regard is...

        2. to make use of meanly or unfairly for one's own advantage <exploiting migrant farm workers>

        So, are you rotten or ripe?

      2. Anonymous Coward
        Anonymous Coward

        @diodesign

        Totally offtopic but considering how you Reg folks don't post that often...

        Just wanted to say that the badge system implementation looks more impressive to me. I know plenty of web forums where the staff always gets the full load of "achievements" because well, they're the staff.

        So seeing a bronze badge behind your name tells me that you guys like to play by the same rules you laid out, which IMO is recommendable. Just saying.

        And now back to our regular program...

      3. Anonymous Coward
        Anonymous Coward

        Plaintive plantain

        "...Definition of hijacking is to take over something and use it for a different purpose. The victims expected it to do one thing, it did another. If that's not hijacking them I'm a banana..."

        Good morning, Mr. Fyffe. May I just say how fantastically curved and yellow you're looking today!

        Yesterday a tramp asked me for some money for a "cup of tea". After voluntarily handing over said coinage, I subsequently observed him using it to buy a can of "Old BallBaggers Liver-Crippler" extra strength lager instead. Oh noes! I must immediately hotfoot it down to my local nick and report that I have been the victim of a hijacking!

      4. chrisbrown

        Pown?

        "Definition of hijacking is to take over something and use it for a different purpose."

        This kid hasn't taken over anything, He doesn't own the phone or the twitter account. Just turn his app off.

        1. diodesign (Written by Reg staff) Silver badge

          Re: Pown?

          Perhaps you would have preferred "joyride" to "hijack", then? Thanks anyway for the feedback. We'll have to agree to disagree.

          C.

  11. The Alpha Klutz

    twitter is the worst

    the other thing is linkedin. most competent people dont bother with it. but there is a hard core of linkedin users who want you to believe that they are employable. they are doing this by getting their agents into prominent media positions to forward the linkedin agenda telling you that you are scum for not being on it.

    but twitter is like that but without the aspect of anyone getting a job at the end of it. pure evil.

  12. nuked

    "Talk sense to a fool and he calls you foolish" - Euripides

  13. Karl Itschen
    Thumb Down

    Still better than LinkedIn

    LinkedIn is even (shocking!) directly asking for your mail password to access your contacts (and so propose connections).

    At least Twitter has a decent OAuth authorization scheme (though that still doesn't help, as the article shows).

This topic is closed for new posts.

Other stories you might like