How to send DMs on Twitter without permission(homakov.blogspot.com) |
How to send DMs on Twitter without permission(homakov.blogspot.com) |
Companies without bug bounties don't deserve responsible disclosure? Twitter has a pretty clear way to reach them, and recognition is given on their page. If recognition isn't sufficient for responsible disclosure, how much money would be enough? I think bug bounty programs are great, but I don't think they should be mandatory.
That seems to be homakov's view, yes, and I can't say I don't understand his view.
If you seek out bugs in a company's code with the expectation that you'll be rewarded for it, and then the company fails to reward you, I can see that it might be perceived as unfair, especially if the company indicated that such an expectation was reasonable.
If you happen across a bug in a company's code, and then publicize it because they aren't going to pay you money for it, that seems a little more like "blackmail." People really shouldn't orient their moral systems around money.
The term "responsible disclosure" implies that other types are "irresponsible disclosure".
If you discover new information through research, there is nothing irresponsible about publishing it on the open web.
Stop this stupid linguistic battle.
The fact that the bug has been disclosed rather than exploited is, itself, a huge favour to Twitter.
It's definitely a bug. Twitter requires clients to ask for the DM permission before they can send DMs. With Egor's approach, clients can privilege-escalate themselves to send DMs even if they never asked for that permission (although they still need to be authorized to send tweets).
Also, even worse, Twitter doesn't consider it a bug, according to the person who originally reported it (who was not Egor): https://twitter.com/DaKnObCS/status/411869431036653568
And here's a response from Ben Ward, the Twitter web lead: https://twitter.com/benward/status/411924515459850240
Perhaps it should, but it doesn't - apps can use the normal API to send DMs without asking for the special DM permission. So the use of the "d" command through the API isn't a vulnerability (it doesn't let anyone do anything they aren't supposed to be able to do), even if it is weird.
Nonetheless, I think it's wrong to have that feature still working.
This part of Twitter's "Get Better" problem - where they've allowed SMS commands to be activated via non-SMS interfaces - http://techcrunch.com/2012/05/26/twitter-get-better/
Of course, it doesn't help that Twitter's permissions system is really poorly thought out. An app which only wants to read your Tweets also has WRITE access as well.
There were worse commands, I remember there was a 'follow' command (not sure it was called like that), twitter disabled this
The d command has some user experience value, however, yes, it makes no sense for twitter to accept it on non twitter apps (meaning, those that don't provide the twitter experience - like mobile clients, tweetdeck, etc)
Some of the experience elements of DM have been fixed on the iPhone, but last I checked, the problems on web desktop made me so annoyed that I stopped using DMs altogether.
Free invite link >> https://join.app.net/from/fjjgdclsjq
HN has become mainstream enough that a lot of readers don't know who pg is. This is what getting linked from reddit, digg, etc leads to. I don't mean this is bad, or good. It's the way it is.
* How famous PG is in HN
* How famous homakov is in HN
A. Homakov could do nothing. This leaves Twitter in the same state that it is now, but it if everybody did this, it is likely that nefarious people would find and exploit bugs in Twitter
B. Homakov could donate his time, as a skilled and highly-trained professional consultant, to a $32bn publicly-traded company
C. Homakov could practice full disclosure
This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but tha'ts hardly homakov's problem as a third party.
Perhaps "blackmail" was too harsh a word. A better analog might be discovering a business left their back door unlocked. Do you announce it to the entire neighborhood because the business doesn't give out "security prizes," or do you attempt to notify the employees? That seems like the point of responsible disclosure.
As far as full disclosure being acceptable, there are a lot of advocates. For example Bruce Schneier, Leonard Rose, and others. Not to mention that this issue isn't in a high impact category like remote code execution, loss of data, privacy, etc. It's also difficult to exploit; it requires authorizing a malicious app. So for all those reasons separately, and certainly all of them together, I think full disclosure is a completely acceptable choice.
Given that it is acceptable, is it still acceptable to do it if it furthers our own interests? Again, I think the answer is yes. The fact it is in my interest does not make an acceptable action into an unacceptable one.
You seem to be hung up on the fact that the researcher here was not particularly nice to Twitter. But people are under no obligation to be nice. It would be nice if you sent me a check for $200. But you won't, because there's no obligation to do that. And you and I--two strangers arguing with each other on the Internet--have a much stronger relationship than this researcher has with Twitter.
Are people going to get killed or lose a lot of cash by knowing how to send unsolicited private messages on twitter?
Like most analogies; it shows your bias rather than some enlightenment on the subject.
D. He could have sold the discovery to someone who'll pay him for it, then have them go on to abuse it to send DM spam to twitter users.
I have no doubt at all that homakov could have sold his discovery for at least as many dollars as any of the well known bug bounties would have rewarded him - if his motivations were purely mercenary…
This is probably the best option, but only if you approach it the same way most contractors do when offering a discount/free service for a client.
When you do free work, don't say it's free -- instead, say that you're offering a 100% discount. Sent your client an invoice for the price you'd regularly charge for such a thing, with the entire price deducted off at the bottom. Include a note saying that this is an offering of goodwill, and that you hope this will help in building a relationship with them in the future.
Leave the client to decide for themselves whether this means that your future vulnerability reports will come without this discount, and see what they say in response.
Neither do corporations, but whenever you hear anyone say "corporations shouldn't base their moral systems around money", then it's all about "free market", "profit" and "shareholder values".
I'm not saying I'd do the same in this case, but it's a bit of a stretch to assume people-people morals apply to people-corporate situations.
I'm not sure if you're trying to highlight an aspect of communal hypocrisy, but I will say that I wouldn't be one of the people shouting back stuff about "shareholder values" in response to a call for corporate social responsibility.
> it's a bit of a stretch to assume people-people morals apply to people-corporate situations
Sure, there's a bit of a power dynamic in play. But we should also remember that corporations are just huge groups of people working together for some kind of common cause. If you do something kind for a corporation (like, for example, responsibly reporting a security vulnerability instead of releasing it into the wild) then you're essentially doing something kind for the people that work there.
I'm not saying anyone needs to go out of their way to be kind to corporations... I'm just saying we shouldn't treat them like they're not "real" and don't deserve a single iota of basic respect. (Of course, if they show a lack of respect to others, that complicates the picture, but the same would hold for "people-people" morality as well.)
that is absolutely not true. A person doing a favour for a corporation will not get the result as doing a favour for an individual.
The corporation isn't a group of people - its a group of people under some control of a few. Their common cause is not the common cause of the employees, but that of those few in control. And i said 'is', because the corporation only h as one cause - to make profit, any way possible.
Do not ever place any loyalty, or sympathy for corporations. Do not expect them to behave morally, or altruistically. It will only end badly for you. Try to extract as much value out of a corporation as you can, just as they do to you.
But twitter is like saying "back off, we are huge and we don't pay researchers a cent". So let it be
Twitter obviously wouldn't drag a hacker to court. I'm saying, in general, don't do this, because other companies might. http://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case
Lie back and think of England.
He's not US-based, so he can freely give them the finger. Good for him.
It's not paranoia. Once you start straying from the path of responsible disclosure, the path to danger is quite short.
In this case, I think you're in no real danger since it's Twitter. So don't worry. But if it were some other company, though, you wouldn't be able to rely on goodwill to protect you. And without any protections, there's nothing preventing the (extremely powerful) courts from bringing charges. It's happened before; it will happen again.
I'm not saying it's true, but it's plausible that some people in Egor's position think that way. And he seems to like his publicity, so 1+1 = 2.