Web vulnerabilities are lame and web developpers too. We all know this.
And here is what you can read on @britneyspears twitter.
Basically, TwitPic allows Twitter users to upload + post pictures on their Twitter status. How? You have to login on the TwitPic website with your login+password, then upload your picture and that’s it. According to their Twitter feed they have more than 2 millions users and as you can see they users who own a verified account like @britneyspears with more than 2 millions followers. For your information, a verified account can be recognize by the following icon: and they have from 10k to 2millions followers.
There is even a feature which allows you to twitt picture from your phone if you mail the following address: username.XXXX@twitpic.com
XXXX stands for the PIN code. This is obvious that 4 characters is A HUGE MISTAKE from a security point of view. But the most funny thing is…. this PIN code is 4 DIGITS code. Yes, 10^4 only… I am crying blood. Im crying tears from my eyes that i can’t deny and i am falling like a comet from the broken sky.
#1 This is a shame from a security point of view. This is not even 62^4, this is 10^4.
#2 They store both login + password (either in plaintext or using a reversible algorithm)
By the way, TwitPic is NOT even a departement of Twitter Inc.
If you look at the terms page, it looks the HQ address of TwitPic is that:
Twitpic Inc,7736 Farr St Suite 907, Charleston, SC 29492
which is different from Twitter HQ
Twitter Inc., 539 Bryant Street, Suite 402, San Francisco CA 94107.
Twitter has advanced search feature so it is not really hard to find potential victims
http://search.twitter.com/search?max_id=2387073237&page=3&q=http%3A%2F%2Ftwitpic.com%2F or you can still look what is the client used by Twitter user. You should read something like: “from TwitPic”
According to TwitPic, they are working on it. But the question is: How this kind of vulnerability is possible in 2009? Is that what people call Cloud Computing Bullshit?
We've implemented a fix for the email posting vulnerability, a full blog post explaining the issue will be released soon
We can walk on the moon, we made highspeed trains, people are working on Quantum mechanics AND WE CAN STILL FIND THIS KIND OF VULNERABILITY?
- To conclude, Web 2.0 is even more than a failure. It shows you how much people can like Britney Spears, or how many of your Facebook friends are stupid enough to send you invitations to join 5 millions people in the “Join this group if you want to change the color of your name of Facebook.” facebook group.
- People do not care about security and do not even know what does mean this word.
- A PHP developer can buy a Ferrari writing a 2k lines website.
- 2009 music industry is a failure.
And we are suppose to improve the way people can use a computer? To change their lifestyle and the world?