Security Weekly

Building A Botnet With Twitter?


Technology is a wonderful thing, and I love nothing more than to experiment with it. As security professionals, its in our best interest, and the best interests of the organizations we set out to protect, to understand new technology and the implications for security. I truly believe that you cannot understand how to secure something until you’ve had some hands-on time using it. This is part of the reason why you will see us on many of the popular social networking sites such as Linkedin, Facebook, and even MySpace (I won’t link to them, but you can find both myself and Larry on at least Linkedin and Facebook by our email addresses, see the Contact Page). The latest experimenting: you can now find me on Twitter (Larry too!). These are turning out to be some fairly useful networking tools, but present some risks and interesting attack scenarios.
For example, recently Twitter added the ability to send updates to Twitter, and receive updates from the people you are “following” via Jabber. This is very handy, “TWITTER” just shows up as another entry in your buddy list. To update your own Twitter page, just send the text to the “TWITTER” buddy. When someone you follow makes an update, Twitter sends it as a Jabber IM message back to you. You can do the same thing with SMS text messages. The danger? This allows me to put content in one place, and using the Twitter network, push it to potentially thousands of people automatically! This means if you can send some sort of exploit, or even a link to an exploit, and post it to people’s twitter accounts, it gets sent to a potential wide audience. This sounds like the Smurf 2.0 attack to me (sorry, I couldn’t resist). You would of course need to hijack someone’s twitter account, or discover an XSS in the twitter web site, or some sort of authentication bypass. However, one of those vulnerabilities in the Twitter system could be extremely damaging due to the nature of the Twitter network. Not only do you have the ability to send malicious content to people’s browsers, but you can also send exploits to Jabber clients and people’s cell phones, all by just posting small amounts of content to one person’s Twitter page!
Ah, but you say, what are the chances of this type of vulnerability? Nitesh Dhajani already found one…. This vulnerability allowed anyone who knows your phone number to essentially hijack your Twitter page. I was surprised not to see this exploited in the wild.

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more.

Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable.
In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. Paul grew Security Weekly into a network of security podcasts spanning multiple topics, such as application security and business. It has been estimated that Paul has conducted over 1,000 interviews with security professionals and hosted more than 1,000 podcast episodes in cybersecurity. In 2020 Security Weekly was acquired by the Cyberrisk Alliance.

Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python, telling everyone he uses Linux as his daily driver, poking at the supply chain, and reading about UEFI and other firmware-related technical topics.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.