I was reading some tweets and as usual i found some trends , that are about these twitter addicted users who are seeking for likes , retweets and follow for follow , this is the worst purpose to use social media , anyway i decided to spam users may i get their attention .
I started investigating twitter and i found the following interesting points:
1- Twitter allows multi-registration with single email address , let me clarify it :
if you have an email as email@example.com
you can generate some aliases of it with do inserted as the following
– and others
I used this script to generate more than 400 accounts from single gmail address
2- Guest session and tokens are reusable
i mean that when you GET twitter.com/
you will receive some cookies and authenticity_token
then registration form will be embeded on this main page , so when you supply the sign up details , a POST request contains the grabbed cookies and token beside your registration details
If you took this request and launched burp intruder , and set payload to load the email from a file containing the 400 generated email aliases, you would register 400 twitter accounts with single session , So this means tokens are reusable , this make our automation much easier we do not have to grab new tokens.
3- Login process requires only two requests
The first GET twitter.com/ we already sent before
the second POST twitter.com/session
and if your credits are valid you will get a session.
4- No Rate limits implemented on any function
I mean that when you are logged in you can like dozens of tweets , follow hundreds of people , mass retweets .. etc
5- Weak checking
Any other action like follow , retweet/like tweets, tweeting , DM is easy to trigger , as we said since tokens are reusable , and twitter protect against CSRF attacks by checking referer header Regardless CSRF token, so we can use the token we used on the login process in further actions.
i started to register 400 accounts with burp intruder , of course i did it as much easy as i’m installing winamp by NEXT,NEXT,Finish
But registered accounts need mobile verification , i got enough with 15 verified account .
Then wrote a script to do the task for me
You can use the following commands to start with it
git clone http://ift.tt/2eqFR3m
————————————————————You need python and python requests on your machine
What this repo has ?
The registered 400 accounts with their passwords
15 valid verified accounts ready to spam
What we can get?
1- We can spam any twitter user with mass likes , retweets and follows
2- you can trend something , but this much more than 15 accounts , of course you can post 10K of tweets with 15 accounts , but it will not considered as a real trend
Note: Some functions are not implemented on tspammer like DM , i did not enable it yet.
Partners : if you have some accounts already verified , you can send them us and we will push them to the script to enhance it .
If you see this article poor , i respect your opinion ,i was in a hurry , post any question and i will make all points clear.