Mobile.twitter.com compromised. Sending spam


#1

If you look at my current tweet, you will see that my stream contains a spam tweet form mobile.twitter.com as the source. This happened once before so I assumed it was an automated bit on the mobile site and I rotated my passwords. It happened again today. Not sure the attack vector. Happening when I’m not using my machines so I don’t believe it’s click-jacking.

Thoughts?


#2

Someone deleted it. Not sure if was deleted via automation, someone at Twitter, or by the spammer. May still have the tweet json.


#3

hmm. my password was reset. someone at twitter doing something?


#4

twitter seems to think it was on my end by the reset password email I got. I highly doubt it because my password as a cryptographically strong 10 character random string. Here is the tweet JSON of the tweet that was spamming. It’s clearly from “mobile.twitter.com”. I believe that Twitter may have a compromised hole there.

{ "in_reply_to_user_id_str": null, "contributors": null, "geo": null, "retweeted": false, "coordinates": null, "truncated": false, "text": "hey everyone youve gotta check this out I made almost $550 today! http://t.co/2IlVD8Q", "retweet_count": 0, "possibly_sensitive": false, "created_at": "Fri Aug 05 22:41:29 +0000 2011", "in_reply_to_status_id": null, "id_str": "99611007508418562", "entities": { "hashtags": [], "user_mentions": [], "urls": [ { "url": "http://t.co/2IlVD8Q", "expanded_url": "http://ow.ly/5ST4D?fid", "indices": [ 66, 85 ], "display_url": "ow.ly/5ST4D?fid" } ] }, "favorited": false, "source": "Mobile Web", "in_reply_to_status_id_str": null, "annotations": null, "place": null, "id": 99611007508418560, "user": { "statuses_count": 12919, "time_zone": "Pacific Time (US & Canada)", "protected": false, "screen_name": "zbowling", "listed_count": 123, "profile_use_background_image": true, "location": "San Francisco, CA", "name": "Zac Bowling", "contributors_enabled": false, "following": false, "profile_background_color": "1A1B1F", "followers_count": 1504, "profile_background_image_url_https": "https://si0.twimg.com/profile_background_images/85296143/874571.png", "profile_background_image_url": "http://a3.twimg.com/profile_background_images/85296143/874571.png", "utc_offset": -28800, "url": "http://zbowling.com/", "friends_count": 676, "profile_image_url_https": "https://si0.twimg.com/profile_images/1427219045/Photo_on_6-29-11_at_6.38_PM__2_normal.jpg", "description": "Hacker of everything. First employee and lead iOS engineer at @SeatmeHQ. Hackathon junky. ", "default_profile_image": false, "created_at": "Tue Jul 24 06:27:32 +0000 2007", "profile_text_color": "666666", "notifications": false, "favourites_count": 792, "profile_sidebar_fill_color": "252429", "id_str": "7676492", "is_translator": false, "profile_background_tile": true, "show_all_inline_media": true, "follow_request_sent": false, "lang": "en", "geo_enabled": true, "verified": false, "profile_link_color": "2FC2EF", "profile_image_url": "http://a3.twimg.com/profile_images/1427219045/Photo_on_6-29-11_at_6.38_PM__2_normal.jpg", "id": 7676492, "default_profile": false, "profile_sidebar_border_color": "181A1E" }, "in_reply_to_screen_name": null, "in_reply_to_user_id": null }

#5

You are correct. I have seen that message before in my timeline- also from mobile web. When I asked him he told me he was asleep at the time.

I don’t know whether changing a password would help much. Mobile web is an oauth app.

I’d say it’s more likely that it’s your account that has been compromised and not mobile web. If I remember the related support page correctly, it’s recommended to change your password and revoke the app that’s causing it. If that did not help, contact support.

My guess is that they have noticed that mobile web is easy to login to when they found your password. This is why Twitter wants to limit xAuth access. However, it looks like spammers have found an alternative to xAuth.

Tom


#6

It’s nearly impossible that it’s my account. I randomize all my passwords using a cryptographically secure generator and always use SSL.

I’m about 95% sure it’s a hole in mobile web. If you search twitter for that tweet, you find it in a lot of places. When my account sent it out, 3 people replied to me trying to triangulate the app that caused it because they have been seeing this same scam.

Any someone at twitter just reset my password again. This is getting annoying.


#7

Out of interest, did you ever resolve this or find out what the problem was? I had a similar issue with mobile web after resetting my password although I’m not entirely confident my password is secure (used in too many sites so it’s possible it got out in unsalted or even plaintext form associated with either my username or email). I.E perhaps it was just a bot kept trying my account until I reset the password in to the password it thought my account should be (happened within about 24h of resetting my password).