One of the reasons Twitter is such a useful platform for publishing is that it is largely spam free - you only received messages from people you choose to follow. So even though a large number of spammy accounts have appeared on the service, the only real damage they do is when they trick people into following them (a lot of people just auto-follow whoever follows them as a courtesy).
Recently Twitter has tried to raise the bar even higher by removing accounts that appear to be trying to game the system. A lot of spammy accounts are just being deleted.
But what happens if someone finds a way to get others to follow them by exploiting some vulnerability in Twitter? The service would be overrun with spam overnight.
That appears to have happened today - I, along with 7,000+ other people, are now following user johng77536, even though I never hit the follow button (the account is following zero other users). The account, which is just two hours old, is now one of the top 100 Twitter accounts (it is currently #63), and growing fast. There are two posts in the account, both linking to a site called hotmoda.com.
This is the first time we’ve heard about Twitter being exploited in this way. Our guess is they found a vulnerability in the API and are going to push this for all its worth before being shut down. We’ll see how quickly Twitter responds.
We did a search for the username and came up with this link, where a user with the same name purports to be John and/or Lena Granger (who may well have nothing to do with this).
Update: Per the comments below, it looks like the vulnerability is being used for at least one other account (image), which links off to the same hotmoda site.
Here’s the link to block him. Everyone should hit this.
actually, Twitter should take care of this for us, and I expect they will shortly.
Shame on you for publishing the names of John and Lena Granger!!!
Since when spammers are stupid enough to use their own username? Now you’re maybe ruining the life of two honest Americans!!!
If you did you homework, you would’ve used google map and figure out that ‘Velikiy Novgorod’ is a city (region?) in Russia. And the folks using this username have American names simply asking info about a hotel over there. Ok, “Lena” sounds Russian (contraction of Alena), so maybe the wife has some russian family they were visiting. But it’s pretty obvious that the hackers (probably Russians) randomly grabbed this username from that travel site.
Now how can you dare publishing their name like that? Thanks to you - the first thing people will come across when entering their name on Google will be your article and association of their name with spamming, which is defamation. I wouldn’t be surprised to see them suing your ass and TC for such a lack of journalistic deontology.
Jason, what were you thinking??? Where are your ethics?
Actually, when is a spammer to stupid to hide their own whois?
Domain: hotmoda.com
Registration provider: myDiscountDomains.com
Lawrence Smith
Lawrence
PO Box 133
Olney, TX 76374 US
+1.111111238
thus in other words, chances are arrington, calacanis, lemeur etc… joined their forces to pay some russian hacker to get so many followers in no time on twitter, friendsfeed, facebook etc..
Well, now that is a very plausible explanation of their ’success’.
Actually the right link is right here
Twitter , IPhone , fascebook , and recently friendsfeed.
No other stories? Startups?
TechCrunch: your source for all Twitter news and non-news.
This is actually a big story - spammers may have been exploiting this hole for a while. It just took someone stupid enough to add 7000+ accounts at once to raise the red flags.
but who cares…? lets say tomorrow twitpic has the same problem. will you post about it? lets say some other random startup is allowing users to message people on the network they arent supposed to be. will you post about it?
Anything about Twitter is not a big story
I am guessing this is the same person http://twitter.com/jpmogan.
Same website, not following anyone, over 9,000 followers.
Nice. I don’t like Twitter though. I’m more into Plurk. Its easier to get friends and it looks a lot nicer and organized.
Guessing people are just using iframe or img exploits to redirect and force users to follow them… same exploits that used to work on myspace and youtube.
Listen to Shoe.
If it is not Facebook, its Twitter, not Twitter, Facebook. It is just getting old…please move on or we will, listen t your readers.
Yes, listen to your readers.
Good story as these issues need to be addressed if we are planning to use Twitter-like services for any ubiquitous messaging
Michael Welcome to the Dark Side of Twitter! LMAO
Wow, interesting hack. Wonder if he did something like the Samy Myspace hack.
http://www.computerworld.com/s.....84,00.html
Somewhere deployed a link/script on a webpage that in the background creates the follow. Get that link passed around on twitter a bit and its not hard hard to get 7000 people.
He doesnt seem to have gotten any “power users” though, they normally appear on the first page of someones followers list. Mike is there but I imagine followed him after this story?
The same exploit works in Pligg-based voting sites as well..
Internet is for porn (and Spammers).
And for Dario, apparantly!
Makes you wonder what you’re doing here then.
Here’s a primer.
http://packetstormsecurity.org.....sguide.txt
What I think Sammy was doing(Sammy was on our website as well at the time it happened), in flash 8 there was a vulnerability where the actionscript geturl() would execute javascript if the word javascript was split into 2 strings
geturl(’javas’+
‘cript:badcodehere’);
That was patched in flash 9. Some of the other XSS techniques are still good.
CSRF attacks like this (assuming it actually is one and not something more serious) are pretty common but don’t get nearly as much attention as XSS do. Sites should include tokens in their forms to prevent this kind of exploitation.
that’s neat
You can use http://twitter.com/help/ and select this ‘this is a spam request’ option to report spam to Twitter. They usually respond within a day and either delete the account or mark it for monitoring, depending on how blatant the abuse is.
I guess that means that even if updates are protected someone can view them with this hack unless I block him…
Another Twitter article, surprise, surprise!
Charles Stone said
“Shame on you for publishing the names of John and Lena Granger!!!
Since when spammers are stupid enough to use their own username? Now you’re maybe ruining the life of two honest Americans!!! ”
Why hasn’t this been responded to? What is wrong with you publishing the names of people who in all liklihood are also victims of this spammer?
I have seen this many times now - that and multiple single post members with tons of followers……
Just going over my followers I have several that seem like bots. So either they have rigged it or they are parts of aps that just decide to follow for you without telling you…. both seem bad to me:
Examples:
https://twitter.com/searchmeinc
https://twitter.com/TyCoughIin
Both I am not folowing but they are following me…I assume in an effort to get me to follow them….
I can only imagine that Twitter has holes…… seeing the past issues with even keeping it up and running - it was only a matter of time before they were going to be exploited…
Not exactallly the end of the world thou…
It is only Twitter…..
this is a lame story
tech crunch is fox news of blogging world
some good stories the rest bs
Very well said! Fox News of Web 2.0! LMAO
Alright, so, out of curiosity, what is your NPR of the blogging world / Web 2.0?
Oh the humanity!
I assume this will delay important Twitter missives like “Eating cake!” or “My ass feels funny.”
Great. Now instead of getting 7,000 clicks hotmoda is going to get 70,000 thanks to Jason.
Maybe Jason is actually Johng77536. The J’s match.
Its not necessarily a twitter vulnerability, it could be that someone has exploited or hacked a twitter application (surely these online apps that update your status automatically store your username and password in a database right?)
Then they’d be able to twit their shit from those folks’ accounts, which would’ve had a far bigger effect.
This is absolutely shocking news. You mean virgin Twitter is being used by spammers?
BTW, Charles Stone (#3) is right.
Twitter is the NPR of Web2.0 (it pretends to be egalitarian.)
First post! (by a woman)
Nice to hear Twitter’s trying to police some of these spammers that join and try following everyone just to present their weight loss or riches overnight offers. Would write more but it’s time to tweet!
Jason, you’re a fcukin idiot. Keep on mentioning that hot***.com site and you’ll help the spammer achieve his/her goal. It shuld had been obfuscated, both from your own text as well as from the screenshot. And naming the people who may have got nothing to do with this? What the fcuk were you thinking? Michael, please fire his a55.
Author of this post: How dumb do you have to be to mention actual names, I’m sure that couple is the mastermind spammer. You should be fired.
Q: Who is Twitter and how did they game TechCrunch?
A: A company that allows retarded adults to talk over IRC / so that the company can be talked about by retarded adults off IRC.
Your business model is one non-sleepy wireless-provider engineer away from being usurped by companies who actually have paying customers.
I’m fascinated that whoever figured this hack out–which, however wrong, is pretty amazing–that they just used it to create an obviously spammy account. I mean, they could have doubled their numbers quickly by interacting with a few people (everyone jumps on the bandwagon of someone with a high follower list). Most people, even heavy hitters (including every name mentioned above), would assume that his high numbers meant he was important, however nonsensical his account, and followed him. What I mean is: he gamed the software, but not the community–which would have been far more, um, interesting.
Hi this is Mark from Twitter. I’ve taken care of the accounts in question and I’ll have you know we’re working hard at weeding out those who abuse the system like this. Thanks.
@Mark (from Twitter) Not that it probably matters, but - the link to johng77536’s followers still shows all of the followers.
At twittercounter.com you can see how Johng77536 grew to that many followers in one day: http://twittercounter.com/?username=Johng77536
Also check the daily updated top 100 here:
http://twittercounter.com/?username=Johng77536
Just checked: both Johng77536 and jpmogan accounts already deleted. Fast response from Twitter team. Hope they’ll fix the vulnerability soon.
Any news on twitter should be truncated to 140 characters!
Johng is the man who stopped the motor of the Internet!
I liked the story, watching Twitter blunders is actually quite entertaining.
Good post.
As this article says: Twitter will make way to other microblogging services due to the fact that history tends to repeat itself. Disruptive technology’s first company tends to clear the ground, but it’s someone else that builds the skyscraper.
just checked the spammers account. Guess what? Twitter removed the account already.
today i got redirected after log-in to twitter. it took me to twitter.de/STORED … Anybody knows what that is? Please comment here: http://api-madness.com/post/twitter-hacked/