Tuesday, July 13, 2010

Dangerous security hole in Twitter lets you modify user profiles with a tweet

@hernanmdq and @twittboy just accidentally discovered a set of undocumented Twitter commands (Spanish). These commands let you change some fields of your Twitter profile like URL, location and name. The shortcuts are common words, so this is a dangerous backdoor that could lets you accidentally modify your Twitter profile in case of twitting like happened to @hernanmdq and @twittboy when tried to tweet about this Hernan’s post. Note the words Crear URL in the post title.

The commands are specific for the language that you have setted up in Twitter.

The magic word for English is set:
set url locafollow.com
This changes your profile URL, it only works if you omit the http:// part
set name mynewname
This changes your profile full name
set location mynewlocation
This changes your profile location


The magic word for Spanish is crear, I guess there are similar commands for each of the supported languages in Twitter. If the command was correctly parsed the tweet won’t appear in your Twitter timeline.



Why is it so dangerous?
It works also using the API, so tweets from the 3rd party apps could modify your profile too.
For example I can make a new post with a title like “Set name e24apps.com”. All of you that innocently tweet it, and all the users that are currently subscribed to this blog feed using apps like twitterfeed will automatically change its profile names to e24apps.com, this would be great for our branding :-)

About LocaFollow.com
Find people on Twitter searching by location and bio fields. The best way to find Twitter users near your location and bulk follow them. LocaFollow is part of e24apps.com network

3 comments:

  1. What's the secret? It's documented here: http://help.twitter.com/entries/14020-official-twitter-text-commands

    ReplyDelete
  2. Only set location is documented there.

    set url, set name and the Spanish version crear url, crear name and crear location are missing.

    This is very dangerous because users can accidentally modify their profiles as already happened to @twittboy

    ReplyDelete
  3. Here you can test the bug: http://seturl.blogspot.com/ (Disclaimer: I am not the author of this blog)

    ReplyDelete