Security and Technology

Spamming Twitter Users with 15 accounts – Learn Penetration Testing & Ethical Hacking

This article about automation on twitter , and abuse twitter features by spamming.

Hi Guys

I was reading some tweets and as usual i found some trends , that are about these twitter addicted users who are seeking for likes , retweets and follow for follow , this is the worst purpose to use social media , anyway i decided to spam users may i get their attention .

I started investigating twitter and i found the following interesting points:

1- Twitter allows multi-registration with single email address , let me clarify it :

if you have an email as abutrika@gmail.com
you can generate some aliases of it with do inserted as the following
– a.butrika@gmail.com
– ab.utrika@gmail.com
– abu.trika@gmail.com
– and others

I used this script to generate more than 400 accounts from single gmail address

2- Guest session and tokens are reusable
i mean that when you GET twitter.com/
you will receive some cookies and authenticity_token
then registration form will be embeded on this main page , so when you supply the sign up details , a POST request contains the grabbed cookies and token beside your registration details

If you took this request and launched burp intruder , and set payload to load the email from a file containing the 400 generated email aliases, you would register 400 twitter accounts with single session , So this means tokens are reusable , this make our automation much easier we do not have to grab new tokens.

3- Login process requires only two requests

The first GET twitter.com/ we already sent before
the second POST twitter.com/session

and if your credits are valid you will get a session.

4- No Rate limits implemented on any function
I mean that when you are logged in you can like dozens of tweets , follow hundreds of people , mass retweets .. etc

5- Weak checking
Any other action like follow , retweet/like tweets, tweeting , DM is easy to trigger , as we said since tokens are reusable , and twitter protect against CSRF attacks by checking referer header Regardless CSRF token, so we can use the token we used on the login process in further actions.

After That

i started to register 400 accounts with burp intruder , of course i did it as much easy as i’m installing winamp by NEXT,NEXT,Finish
But registered accounts need mobile verification , i got enough with 15 verified account .

Then wrote a script to do the task for me
http://ift.tt/2eWKJQu

You can use the following commands to start with it
————————————————————
git clone http://ift.tt/2eqFR3m
cd Tspammer/
python tspammer.py

————————————————————You need python and python requests on your machine

What this repo has ?
The registered 400 accounts with their passwords
15 valid verified accounts ready to spam
Requests details

What we can get?
1- We can spam any twitter user with mass likes , retweets and follows
2- you can trend something , but this much more than 15 accounts , of course you can post 10K of tweets with 15 accounts , but it will not considered as a real trend

Video

Note: Some functions are not implemented on tspammer like DM , i did not enable it yet.

Partners : if you have some accounts already verified , you can send them us and we will push them to the script to enhance it .

If you see this article poor , i respect your opinion ,i was in a hurry , post any question and i will make all points clear.

Have Fun

The post Spamming Twitter Users with 15 accounts appeared first on Learn Penetration Testing & Ethical Hacking. http://ift.tt/2eWN1zc http://ift.tt/2aM8QhC

Deixe uma resposta

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s