TweetMyPC: What I've learned From Your Screenshots
I've been watching the Twitter traffic pertaining to TweetMyPC. So far, I've amassed a decent collection of users' screenshots, all of which reveal private data.
First off, I have already confirmed my previous statement:
When TweetMyPC posts a screenshot, it uses Twitpic to do so. Though the TweetMyPC documentation encourages users to make the "command" Twitter accounts private, it makes no mention of TwitPic, which is a completely different service, and does not reflect Twitter's privacy settings. This being the case, locating command Twitter accounts (even the private ones) is a simple matter of searching through Twitpic's archives for the string "TweetMyPC -> Screenshot".
While Twitpic doesn't have a search feature (they've been promising one for some time), they do have a public feed, and there are third party (fourth party, I suppose) sites that allow you to do just that.
The next thing I learned is also a TwitPic issue (a bug, perhaps). You won't see this one on the Month of Twitter Bugs, but it turns out that deleted photos on TwitPic aren't actually deleted. An example: TwitPic claims that the image with the ID 9s4gx no longer exists. However, if you go directly to the full-sized image, you'll see that you can download the image- a screenshot of that user's Windows registry.
It's worth noting that this user has indeed protected his updates on Twitter... not that it did a lot of good.
Now let's get to the screenshots themselves.
Even the tiniest bit of information can be extremely useful to an attacker. It all depends on his motivation, his expertise, and how much free time he has. As none of this is predictable, I recommend that you use extreme caution in posting screenshots online.
This screenshot displays the contents of the user's Gmail account, his Gmail address, and the IP address that he is logged into Gmail from. From his bookmarks toolbar, we can guess what websites he visits regularly, and from the browser's status bar, we know that he is using Greasemonkey. From the Windows XP taskbar, we can see what software he is currently running, including antivirus and instant messaging. We know that he's not using NoScript, and that he appears to be a relatively savvy computer user.
I think we've got enough info to own this computer. Let's move on.
This guy is clearly logged into his investment management portal. Combining the info in this screenshot with some of the other information revealed in that user's Twitter account, and noting that there's an XSS hole on the investment site, I'm betting I could XSS him out of his stock portfolio.
Want more? You just have to look.
Desktop shortcuts, NoScript settings, browser history, Yahoo mailboxes, network and firewall settings, not to mention everyday activity, from piracy to IM conversations to grocery lists, are all freely available.
First off, I have already confirmed my previous statement:
Your Twitter feed is public. Even if you make it private, recent incidents with Twitter should be enough to make you consider it public.
When TweetMyPC posts a screenshot, it uses Twitpic to do so. Though the TweetMyPC documentation encourages users to make the "command" Twitter accounts private, it makes no mention of TwitPic, which is a completely different service, and does not reflect Twitter's privacy settings. This being the case, locating command Twitter accounts (even the private ones) is a simple matter of searching through Twitpic's archives for the string "TweetMyPC -> Screenshot".
While Twitpic doesn't have a search feature (they've been promising one for some time), they do have a public feed, and there are third party (fourth party, I suppose) sites that allow you to do just that.
The next thing I learned is also a TwitPic issue (a bug, perhaps). You won't see this one on the Month of Twitter Bugs, but it turns out that deleted photos on TwitPic aren't actually deleted. An example: TwitPic claims that the image with the ID 9s4gx no longer exists. However, if you go directly to the full-sized image, you'll see that you can download the image- a screenshot of that user's Windows registry.
It's worth noting that this user has indeed protected his updates on Twitter... not that it did a lot of good.
Now let's get to the screenshots themselves.
Even the tiniest bit of information can be extremely useful to an attacker. It all depends on his motivation, his expertise, and how much free time he has. As none of this is predictable, I recommend that you use extreme caution in posting screenshots online.
This screenshot displays the contents of the user's Gmail account, his Gmail address, and the IP address that he is logged into Gmail from. From his bookmarks toolbar, we can guess what websites he visits regularly, and from the browser's status bar, we know that he is using Greasemonkey. From the Windows XP taskbar, we can see what software he is currently running, including antivirus and instant messaging. We know that he's not using NoScript, and that he appears to be a relatively savvy computer user.
I think we've got enough info to own this computer. Let's move on.
This guy is clearly logged into his investment management portal. Combining the info in this screenshot with some of the other information revealed in that user's Twitter account, and noting that there's an XSS hole on the investment site, I'm betting I could XSS him out of his stock portfolio.
Want more? You just have to look.
Desktop shortcuts, NoScript settings, browser history, Yahoo mailboxes, network and firewall settings, not to mention everyday activity, from piracy to IM conversations to grocery lists, are all freely available.
Labels: Bad Ideas, Privacy, TweetMyPC, TwitPic, Twitter, XSS
posted by mckt at
8:33 PM
|
4 Comments
