How to send DMs on Twitter without permission (opens in new tab)

(homakov.blogspot.com)

167 pointsbrodd12y ago56 comments

56 comments

chaz12y ago

> I wrote a full disclosure post 5 minutes after finding the bug because twitter doesn't reward "bounty hunters".

Companies without bug bounties don't deserve responsible disclosure? Twitter has a pretty clear way to reach them, and recognition is given on their page. If recognition isn't sufficient for responsible disclosure, how much money would be enough? I think bug bounty programs are great, but I don't think they should be mandatory.

https://about.twitter.com/company/security

doughj312y ago

> Companies without bug bounties don't deserve responsible disclosure?

That seems to be homakov's view, yes, and I can't say I don't understand his view.

md22412y ago

Of course you understand it, but do you agree with it?

If you seek out bugs in a company's code with the expectation that you'll be rewarded for it, and then the company fails to reward you, I can see that it might be perceived as unfair, especially if the company indicated that such an expectation was reasonable.

If you happen across a bug in a company's code, and then publicize it because they aren't going to pay you money for it, that seems a little more like "blackmail." People really shouldn't orient their moral systems around money.

6 more replies

sneak12y ago

> Companies without bug bounties don't deserve responsible disclosure?

The term "responsible disclosure" implies that other types are "irresponsible disclosure".

If you discover new information through research, there is nothing irresponsible about publishing it on the open web.

Stop this stupid linguistic battle.

ronaldx12y ago

Why should companies expect disclosure at all?

The fact that the bug has been disclosed rather than exploited is, itself, a huge favour to Twitter.

jxf12y ago

People in various forums (a couple on HN, SO, Egor's blog, Twitter itself) seem to be saying something like "this isn't really a bug".

It's definitely a bug. Twitter requires clients to ask for the DM permission before they can send DMs. With Egor's approach, clients can privilege-escalate themselves to send DMs even if they never asked for that permission (although they still need to be authorized to send tweets).

Also, even worse, Twitter doesn't consider it a bug, according to the person who originally reported it (who was not Egor): https://twitter.com/DaKnObCS/status/411869431036653568

And here's a response from Ben Ward, the Twitter web lead: https://twitter.com/benward/status/411924515459850240

jkrems12y ago

Read the API docs, only reading DMs needs a special permission, POST direct message only needs the permissions that writing a "normal" tweet would. There's no bug here. Maybe a confusing security model, but no bug.

voyou12y ago

"Twitter requires clients to ask for the DM permission before they can send DMs"

Perhaps it should, but it doesn't - apps can use the normal API to send DMs without asking for the special DM permission. So the use of the "d" command through the API isn't a vulnerability (it doesn't let anyone do anything they aren't supposed to be able to do), even if it is weird.

pothibo12y ago

This kind of bug falls in grey area I believe. It's more a legacy feature that should be turned off.

Nonetheless, I think it's wrong to have that feature still working.

gkoberger12y ago

This is the same guy who hacked GitHub (and Rails) with the multiple assignment hack, among other things.

the_french12y ago

I enjoy reading his finds a lot. He tends to find relatively blatant lapses in the various security measures of the sites he investigates.

Kiro12y ago

homakov is as famous as PG on HN.

larrys12y ago

Where is he "as famous"?

On HN? Or somewhere else (if so where?) where he is "as famous as PG on HN".

If you mean he is as famous on HN as PG is on HN I don't think that is the case.

2 more replies

edent12y ago

It only allows you to send DMs to those users you can already message - which is a small mercy.

This part of Twitter's "Get Better" problem - where they've allowed SMS commands to be activated via non-SMS interfaces - http://techcrunch.com/2012/05/26/twitter-get-better/

Of course, it doesn't help that Twitter's permissions system is really poorly thought out. An app which only wants to read your Tweets also has WRITE access as well.

homakov12y ago

So twitter should replace R&W DM to just R DM permission, because W DM comes automatically with R&W Tweets. Isn't it.. so wrong?

xs_kid12y ago

Isn't a bug according to twitter employers:

http://twitter.com/jmhodges/status/411975535703511040

bcardarella12y ago

the 'd' syntax for sending DMs has been around from nearly the beginning (or from the actual beginning?) of Twitter. That in itself is not a bug. However, Twitter should be stripping that leading 'd' from anything that is reposting or from a 3rd party OAauth session.

TillE12y ago

It's not a bug per se, but it's certainly a hideous misfeature to have ever had that kind of input parsing except on the SMS interface to Twitter. It's just completely unnecessary.

TazeTSchnitzel12y ago

This isn't the first bug to be found because of it!

raverbashing12y ago

Exactly this

There were worse commands, I remember there was a 'follow' command (not sure it was called like that), twitter disabled this

The d command has some user experience value, however, yes, it makes no sense for twitter to accept it on non twitter apps (meaning, those that don't provide the twitter experience - like mobile clients, tweetdeck, etc)

adelevie12y ago

Not sure how many hours go into finding these sorts of vulnerabilities, but his rate of $150/hour[1] seems like a steal compared to the lost revenues he can prevent.

[1] http://www.sakurity.com/

iloveponies12y ago

On the flip side, Homakov personally has incredibly bad OPSEC practices which would make me think twice for using him. There's a correlation between what you pay and what you might get.

TheCowboy12y ago

What do you even mean to have "incredibly bad OPSEC practices"? Without an explanation, your comment comes across as more unnecessary snark, which unfortunately isn't uncommon in threads that remark upon Homakov, or on HN in general.

1 more reply

jcutrell12y ago

This is in line with a long laundry list of horribleness about user experience as related to DMs in my opinion. They don't work as expected, and quite honestly to me it feels like Twitter is running a campaign to destroy peoples' love of the DM in search of a Solution, maybe in preparation for a dm 2.0 or something.

Some of the experience elements of DM have been fixed on the iPhone, but last I checked, the problems on web desktop made me so annoyed that I stopped using DMs altogether.

homakov12y ago

Taking into account this bug and twitter's response - they don't differ DMs from tweets much. Privateness of DM doesn't mean it to them what it means to us.

mergy12y ago

Come over to App.net. It will be a while before the masses ruin that.

Free invite link >> https://join.app.net/from/fjjgdclsjq

joelandren12y ago

Oh, I don't think you have to worry about the masses ever ruining App.net

onedev12y ago

I think I'll avoid it as well. I wouldn't want to accidentally ruin it.

j / k navigate · click thread line to collapse

56 comments

chaz12y ago

> I wrote a full disclosure post 5 minutes after finding the bug because twitter doesn't reward "bounty hunters".

https://about.twitter.com/company/security

doughj312y ago

> Companies without bug bounties don't deserve responsible disclosure?

That seems to be homakov's view, yes, and I can't say I don't understand his view.

md22412y ago

Of course you understand it, but do you agree with it?

6 more replies

sneak12y ago

> Companies without bug bounties don't deserve responsible disclosure?

The term "responsible disclosure" implies that other types are "irresponsible disclosure".

If you discover new information through research, there is nothing irresponsible about publishing it on the open web.

Stop this stupid linguistic battle.

ronaldx12y ago

Why should companies expect disclosure at all?

The fact that the bug has been disclosed rather than exploited is, itself, a huge favour to Twitter.

jxf12y ago

People in various forums (a couple on HN, SO, Egor's blog, Twitter itself) seem to be saying something like "this isn't really a bug".

Also, even worse, Twitter doesn't consider it a bug, according to the person who originally reported it (who was not Egor): https://twitter.com/DaKnObCS/status/411869431036653568

And here's a response from Ben Ward, the Twitter web lead: https://twitter.com/benward/status/411924515459850240

jkrems12y ago

voyou12y ago

"Twitter requires clients to ask for the DM permission before they can send DMs"

pothibo12y ago

This kind of bug falls in grey area I believe. It's more a legacy feature that should be turned off.

Nonetheless, I think it's wrong to have that feature still working.

gkoberger12y ago

This is the same guy who hacked GitHub (and Rails) with the multiple assignment hack, among other things.

the_french12y ago

I enjoy reading his finds a lot. He tends to find relatively blatant lapses in the various security measures of the sites he investigates.

Kiro12y ago

homakov is as famous as PG on HN.

larrys12y ago

Where is he "as famous"?

On HN? Or somewhere else (if so where?) where he is "as famous as PG on HN".

If you mean he is as famous on HN as PG is on HN I don't think that is the case.

2 more replies

edent12y ago

It only allows you to send DMs to those users you can already message - which is a small mercy.

This part of Twitter's "Get Better" problem - where they've allowed SMS commands to be activated via non-SMS interfaces - http://techcrunch.com/2012/05/26/twitter-get-better/

Of course, it doesn't help that Twitter's permissions system is really poorly thought out. An app which only wants to read your Tweets also has WRITE access as well.

homakov12y ago

So twitter should replace R&W DM to just R DM permission, because W DM comes automatically with R&W Tweets. Isn't it.. so wrong?

xs_kid12y ago

Isn't a bug according to twitter employers:

http://twitter.com/jmhodges/status/411975535703511040

bcardarella12y ago

TillE12y ago

It's not a bug per se, but it's certainly a hideous misfeature to have ever had that kind of input parsing except on the SMS interface to Twitter. It's just completely unnecessary.

TazeTSchnitzel12y ago

This isn't the first bug to be found because of it!

raverbashing12y ago

Exactly this

There were worse commands, I remember there was a 'follow' command (not sure it was called like that), twitter disabled this

adelevie12y ago

Not sure how many hours go into finding these sorts of vulnerabilities, but his rate of $150/hour[1] seems like a steal compared to the lost revenues he can prevent.

[1] http://www.sakurity.com/

iloveponies12y ago

On the flip side, Homakov personally has incredibly bad OPSEC practices which would make me think twice for using him. There's a correlation between what you pay and what you might get.

TheCowboy12y ago

1 more reply

jcutrell12y ago

Some of the experience elements of DM have been fixed on the iPhone, but last I checked, the problems on web desktop made me so annoyed that I stopped using DMs altogether.

homakov12y ago

Taking into account this bug and twitter's response - they don't differ DMs from tweets much. Privateness of DM doesn't mean it to them what it means to us.

mergy12y ago

Come over to App.net. It will be a while before the masses ruin that.

Free invite link >> https://join.app.net/from/fjjgdclsjq

joelandren12y ago

Oh, I don't think you have to worry about the masses ever ruining App.net

onedev12y ago

I think I'll avoid it as well. I wouldn't want to accidentally ruin it.

j / k navigate · click thread line to collapse