Tuesday, July 13, 2010

Dangerous security hole in Twitter lets you modify user profiles with a tweet

@hernanmdq and @twittboy just accidentally discovered a set of undocumented Twitter commands (Spanish). These commands let you change some fields of your Twitter profile like URL, location and name. The shortcuts are common words, so this is a dangerous backdoor that could lets you accidentally modify your Twitter profile in case of twitting like happened to @hernanmdq and @twittboy when tried to tweet about this Hernan’s post. Note the words Crear URL in the post title.

The commands are specific for the language that you have setted up in Twitter.

The magic word for English is set:
set url locafollow.com
This changes your profile URL, it only works if you omit the http:// part
set name mynewname
This changes your profile full name
set location mynewlocation
This changes your profile location


The magic word for Spanish is crear, I guess there are similar commands for each of the supported languages in Twitter. If the command was correctly parsed the tweet won’t appear in your Twitter timeline.



Why is it so dangerous?
It works also using the API, so tweets from the 3rd party apps could modify your profile too.
For example I can make a new post with a title like “Set name e24apps.com”. All of you that innocently tweet it, and all the users that are currently subscribed to this blog feed using apps like twitterfeed will automatically change its profile names to e24apps.com, this would be great for our branding :-)

About LocaFollow.com
Find people on Twitter searching by location and bio fields. The best way to find Twitter users near your location and bulk follow them. LocaFollow is part of e24apps.com network
Posted by at
Labels: , , , ,

6 comments:

  1. John KaluckiJuly 13, 2010 at 2:03 PM

    What's the secret? It's documented here: http://help.twitter.com/entries/14020-official-twitter-text-commands

    ReplyDelete
  2. aartilesJuly 13, 2010 at 2:45 PM

    Only set location is documented there.

    set url, set name and the Spanish version crear url, crear name and crear location are missing.

    This is very dangerous because users can accidentally modify their profiles as already happened to @twittboy

    ReplyDelete
  3. aartilesJuly 14, 2010 at 10:44 AM

    Here you can test the bug: http://seturl.blogspot.com/ (Disclaimer: I am not the author of this blog)

    ReplyDelete
  4. AlexanderJuly 28, 2020 at 1:12 AM

    If you already have an account on Twitter and are using it but have limited success with it, do not worry, as we will be giving you some practical tips to get started with your Twitter account effectively. Follow LinkW88moinhat on Twitter

    ReplyDelete
  5. CuzToxAugust 9, 2020 at 3:16 AM

    Your business will be open all day, every day in nations around the world; the sun will never set on your flourishing business. twitter followers

    ReplyDelete
  6. shelbySeptember 29, 2023 at 5:15 AM

    Your blog is like a fine wine, getting better with each post. Cheers to your continuous improvement and dedication.Desestimar Orden Protección Nueva Jersey

    ReplyDelete

Subscribe to: Post Comments (Atom)