Hackers can hijack tweets using a python script, created by misterch0c that runs through any twitter account to allow anyone to hijack any twitter accounts or users tweet.
When the script is run in python, it goes through the Twitter accounts tweets and locates any links shared by the Twitter user. The script then checks whether or not the links found in the tweets have expired, and are no longer registered, or not. Once it pinpoints the websites that actually aren’t registered, the attacker can register the domain for themselves and redirect it to any website they like.
Attackers can misdirect users into going to a malicious website infected with a virus, or a phishing page. Therefore the level of threat the script provides is great.
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
# Copyright (c) 2017 @misterch0c
# This program is free software: you can redistribute it and/or modify
# it under the terms of the HTL Hodge Twins License as published by
# the Free Gains Foundation, version 1 and only of the License.
#
# This program is distributed in the hope that you do whatever the F*CK,
# you wanna do with it.
import tweepy
import time
import threading
import sys
import re
import pythonwhois
from secrets import consumer_key, consumer_secret, access_token, access_token_secret
class myThread (threading.Thread):
def __init__(self,accounts):
threading.Thread.__init__(self)
self.accounts=accounts
def run(self):
print "Starting " + self.name
findem(self.accounts)
def get_all_tweets(screen_name):
alltweets = []
new_tweets = api.user_timeline(screen_name = screen_name,count=200)
alltweets.extend(new_tweets)
oldest = alltweets[-1]['id'] - 1
while len(new_tweets) > 0:
new_tweets = api.user_timeline(screen_name = screen_name,count=200,max_id=oldest)
alltweets.extend(new_tweets)
oldest = alltweets[-1]['id'] - 1
print "...%s tweets downloaded so far for %s" % ((len(alltweets)),"@"+screen_name)
return alltweets
def is_not_registred(url):
try:
who=pythonwhois.get_whois(url)
return 'NOT FOUND' in str(who)
except Exception:
print('oops')
return False
def get_accounts():
acc=[]
with open('accounts_leftover') as f:
for l in f.readlines():
twit_name=l.split(',')[0]
acc.append(twit_name)
return acc
def findem(accounts):
urls=[]
print('++ new thread ++')
lock.acquire()
if len(accounts) == 0:
print("++ OVER ++")
lock.release()
return
acc = accounts.pop(0)
lock.release()
tweets=get_all_tweets(acc)
for tweet in tweets:
if 'RT' not in tweet['text']:
nn=tweet['entities']['urls']
for ur in nn:
expanded_url=ur["expanded_url"]
expanded_url = expanded_url.replace("http://","").replace("https://","").replace("www.", "").split("/")[0].split(".")
expanded_url = expanded_url[len(expanded_url)-2:len(expanded_url)]
expanded_url = '.'.join(x for x in expanded_url)
if expanded_url.lower() not in excluded:
print("["+acc+"]"+" -- "+ expanded_url)
if is_not_registred(expanded_url):
print("PWND " + acc +" -- "+expanded_url)
urls.append(expanded_url)
thread1=myThread(accounts)
thread1.daemon=True
thread1.start()
f = open('twit_results', 'a')
f.write(str(urls) + acc +'\n')
f.close()
print("+++ " +str(len(urls))+ " available domain found +++")
print(urls)
auth = tweepy.OAuthHandler(consumer_key, consumer_secret)
auth.set_access_token(access_token, access_token_secret)
api = tweepy.API(auth,parser=tweepy.parsers.JSONParser())
#Let's assume those are registred.
excluded=['twitter.com','facebook.com','fb.me','apple.com','apple.co','snapchat.com','billboard.com','youtube.com','youtu.be','spotify.com','github.com','yahoo.com','fbi.gov','goo.gl','instagram.com','buzzfeed.com','amazon.com','vine.co','twimg.com','persiscope.tv','microsoft.com','fb.on','bit.ly','nike.com']
accounts=get_accounts()
lock = threading.Lock()
for x in range(20):
print(x)
thread1=myThread(accounts)
thread1.daemon=True
thread1.start()
while True:
time.sleep(1)
This method was recently used by a Belgium security researcher named Inti De Ceukelaire to hijack an old Donald Trump tweet, tweeted back in 2012, redirecting people to a youtube video, rather than the National Achievers Congress website that was originally posted.
The hijacked tweet can still be seen on Donald Trump’s official twitter page.
I'll be speaking tomorrow at the San Jose Convention Center (CA) for the first- ever National Achievers Congress http://t.co/m4JN2oIw
— Donald J. Trump (@realDonaldTrump) April 11, 2012
Trump has addressed the tweet and stated that the website of the National Achievers Congress, nac2012.com, was not renewed by the original owner. This allowed Into to buy and register the domain name for himself and redirect it to this youtube video:
Luckily for Donald Trump, Inti De Ceukelaire did not have any malicious or political reasons to successfully attempt the hijack. However, someone who might could use the same method. The hijackers can’t and won’t be arrested either, because it would be completely legal. According to The¯Undersc0re’s blog post on Medium.com, there are more high profiled celebrities who are at risk of having their tweets hijacked, some of them that were tested by The¯Undersc0re are:
Katty Perry, @katyperry , 95.6M
Shakira, @shakira, 42.7M
Jennifer Lopez, @JLo, 39.3M
Aamir Khan, @aamir_khan, 19.8 M
Agnez Mo, @agnezmo, 16.2M
Triple X Movie???, @deepikapadukone, 17.3M
Maroon 5, @maroon5, 13.7M
shaquille o’neal, @SHAQ, 13.2M
Thalia, @thalia, 8.77M
Pegg News, @simongpegg, 6.63M
Twitter has not yet addressed the issue yet. Whether or not they will change Twitters API just to avoid this from happening in the future, regardless, it would be a costly job.
It is also a good reminder to keep our outdated and unused domain names in check and constantly registered so hackers do not use it to their own advantage.