This article is more than 1 year old
Twitter DM character limit liberation spells opportunity for botnets
Direct message command and control hides in the walla walla rhubarb.
London security researcher Paul Amar has built a tool capable of exploiting Twitter's extended direct messaging function for covert botnet command and control.
Amar created Twittor which allows attackers of white or black hats to create a fleet of compromised machines that can communicate, receive instructions, and update over the social network.
Twitter removed its 140 character limit for private direct messages between accounts in August.
It's a stealthy attack, since the Twittor command-and-control network traffic looks the same as legitimate tweeting, so bots are hard to seek out and destroy, Amar says.
A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.
I mostly wanted to create a PoC after Twitter decided to remove the 140 characters limit for the Direct Messages. Few stuff should be added such as Encryption (Adding AES on top of it). |
Twittor bots are limited to 100 direct messages a day. New bots can be created with additional accounts however.
The Python based Twittor can be downloaded on Github.
Amar has published other tools included a cross-site request forgery hacking toolkit and contributed to a Shodan Firefox extension. ®
Bootnote: Walla and rhubarb are the retrospective US and British terms in the media industry given to indistinct background chatter on TV and radio.