Mailing List Archive

Twitter security team?
Anyone on the list know how to contact the Twitter Security team?

Seems the new update allows an attacker to modify other people's tweets.
The "Hackerone" form for reporting a vulnerability is the wrong form and
the "My account has been hacked" form is also the wrong form. The whole
site has been compromised, I have evidence and can't contact anyone due to
the lack of an appropriate form and the fact that the security@ email
address doesn't work.

Thanks!
Re: Twitter security team? [ In reply to ]
Yes/No ?

https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabilities

> On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
>
> Anyone on the list know how to contact the Twitter Security team?
>
> Seems the new update allows an attacker to modify other people's tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and the "My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
>
> Thanks!
Re: Twitter security team? [ In reply to ]
Or maybe a tweet to @twittersecurity

> On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
>
>
> Yes/No ?
>
> https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabilities
>
>> On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
>>
>> Anyone on the list know how to contact the Twitter Security team?
>>
>> Seems the new update allows an attacker to modify other people's tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and the "My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
>>
>> Thanks!
>
Re: Twitter security team? [ In reply to ]
Why is Hacker one wrong? Seems like this would be exactly what it's for.

On Thu, Jul 18, 2019, 3:04 PM J. Hellenthal via NANOG <nanog@nanog.org>
wrote:

> Or maybe a tweet to @twittersecurity
>
> > On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
> >
> >
> > Yes/No ?
> >
> >
> https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabilities
> >
> >> On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
> >>
> >> Anyone on the list know how to contact the Twitter Security team?
> >>
> >> Seems the new update allows an attacker to modify other people's
> tweets. The "Hackerone" form for reporting a vulnerability is the wrong
> form and the "My account has been hacked" form is also the wrong form. The
> whole site has been compromised, I have evidence and can't contact anyone
> due to the lack of an appropriate form and the fact that the security@
> email address doesn't work.
> >>
> >> Thanks!
> >
>
>
RE: Twitter security team? [ In reply to ]
They also have a bug bounty program on HackerOne:
https://hackerone.com/twitter

> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of J. Hellenthal
> via NANOG
> Sent: Thursday, July 18, 2019 3:01 PM
> To: Ken Gilmour
> Cc: North Group
> Subject: Re: Twitter security team?
>
> Or maybe a tweet to @twittersecurity
>
> > On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
> >
> >
> > Yes/No ?
> >
> > https://help.twitter.com/en/rules-and-policies/reporting-security-
> vulnerabilities
> >
> >> On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
> >>
> >> Anyone on the list know how to contact the Twitter Security team?
> >>
> >> Seems the new update allows an attacker to modify other people's
tweets.
> The "Hackerone" form for reporting a vulnerability is the wrong form and
the
> "My account has been hacked" form is also the wrong form. The whole site
> has been compromised, I have evidence and can't contact anyone due to the
> lack of an appropriate form and the fact that the security@ email address
> doesn't work.
> >>
> >> Thanks!
> >
Re: Twitter security team? [ In reply to ]
no

On Thu, 18 Jul 2019 at 12:59, J. Hellenthal <jhellenthal@dataix.net> wrote:

>
> Yes/No ?
>
>
> https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabilities
>
> > On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
> >
> > Anyone on the list know how to contact the Twitter Security team?
> >
> > Seems the new update allows an attacker to modify other people's tweets.
> The "Hackerone" form for reporting a vulnerability is the wrong form and
> the "My account has been hacked" form is also the wrong form. The whole
> site has been compromised, I have evidence and can't contact anyone due to
> the lack of an appropriate form and the fact that the security@ email
> address doesn't work.
> >
> > Thanks!
>
>
Re: Twitter security team? [ In reply to ]
https://hackerone.com/twitter is the correct means to report

-G


On Thu, Jul 18, 2019 at 2:04 PM J. Hellenthal via NANOG <nanog@nanog.org>
wrote:

> Or maybe a tweet to @twittersecurity
>
> > On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
> >
> >
> > Yes/No ?
> >
> >
> https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabilities
> >
> >> On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
> >>
> >> Anyone on the list know how to contact the Twitter Security team?
> >>
> >> Seems the new update allows an attacker to modify other people's
> tweets. The "Hackerone" form for reporting a vulnerability is the wrong
> form and the "My account has been hacked" form is also the wrong form. The
> whole site has been compromised, I have evidence and can't contact anyone
> due to the lack of an appropriate form and the fact that the security@
> email address doesn't work.
> >>
> >> Thanks!
> >
>
>
Re: Twitter security team? [ In reply to ]
Because I didn't find the vulnerability, I'm not looking for a bug bounty
and I don't know what the vulnerability is, just seeing the effects of it.

On Thu, 18 Jul 2019 at 13:06, Ross Tajvar <ross@tajvar.io> wrote:

> Why is Hacker one wrong? Seems like this would be exactly what it's for.
>
> On Thu, Jul 18, 2019, 3:04 PM J. Hellenthal via NANOG <nanog@nanog.org>
> wrote:
>
>> Or maybe a tweet to @twittersecurity
>>
>> > On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net>
>> wrote:
>> >
>> >
>> > Yes/No ?
>> >
>> >
>> https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabilities
>> >
>> >> On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
>> >>
>> >> Anyone on the list know how to contact the Twitter Security team?
>> >>
>> >> Seems the new update allows an attacker to modify other people's
>> tweets. The "Hackerone" form for reporting a vulnerability is the wrong
>> form and the "My account has been hacked" form is also the wrong form. The
>> whole site has been compromised, I have evidence and can't contact anyone
>> due to the lack of an appropriate form and the fact that the security@
>> email address doesn't work.
>> >>
>> >> Thanks!
>> >
>>
>>
Re: Twitter security team? [ In reply to ]
On Thu, Jul 18, 2019 at 12:45:25PM -0600, Ken Gilmour wrote:
> I have evidence and can't contact anyone due to
> the lack of an appropriate form and the fact that the security@ email
> address doesn't work.

Of course I'm not surprised that the ignorant newbies running Twitter
can't manage this: who wouldn't be, given their atrocious track record?
But for everyone else:

[ engage soapbox ]

RFC 2142 was published in 1997, and most of the role addresses it
specifies were in relatively common use prior to that.

Yet -- nearly every day -- this list carries traffic from someone
attempting to help/warn/etc. some allegedly professional operation
that has its fingers firmly lodged in its ears in a desperate attempt
to prevent basic communication and expects people who are already
trying to provide them with free consulting services to jump through
various annoying hoops in order to do so.

RTFRFC, folks, and implement it. It's operations 101. It's something you
should have done in the first hour of the first day, before you turned on
the rest of your stuff. It's not hard. And when a day like this comes
for your operation, which it will, it may save you considerable pain,
time, and/or money.

[ soapbox off - for now ;) ]

---rsk