
Finding vulnerable Twitter accounts with expired domains - zainamro
https://zainamro.com/hacks/finding-vulnerable-twitter-accounts
======
Taek
At some point in time we decided that email addresses control the keys to the
kingdom. If you lose access to your email, there goes your social media
accounts, your bank accounts, your gaming accounts, and potentially many of
your commercial accounts as well.

And then we decided that custom domains are the most professional. Which does
make sense, there can only be one 'robert@gmail.com'. But, this is coupled
with the idea that domains can expire, and that expiry does not appear to kill
the identity that's potentially associated with the domain.

We should not be using email addresses as our primary source of identity
verification in the first place. And we definitely _should_ have some way to
globally declare that an identity has been compromised. Especially given our
society's track record of keeping database safe from breach.

I more or less assume it is inevitable that one of my major accounts will be
compromised, and that this will be able to cascade into most of my major
accounts being compromised. I do what I can to protect myself, but gmail as a
single source of failure makes me nervous. Using any email provider besides
gmail makes me even more nervous, because they don't have the full power and
knowledge of Google protecting their databases.

~~~
asciident
You point out some problems, but how do we actually do these?

Without emails as the keys to the kingdom, what would you use?

Without a global identifier for a human person (like social security in the
US), how would we declare that an identity is compromised?

While I believe your ideals are well-intentioned, I think they're impractical
in our current society.

I would propose that an email is the key to the kingdom, that people running
custom domains and use them for email must deposit $500 in registration to do
so (to ensure the domain is registered for their lifetime), and that they
should be protected by a password plus 2FA with your phone being the other
factor. And I propose that each person should be uniquely identifiable by an
email address stored in a global publicly-accessible database.

~~~
dewey
There's a difference between an email address and a social security number in
a way that the latter will still be around if you stop paying for it or
something happens to you. In some way (at least for this threat model) a gmail
address is better than one on your own domain as it's unlikely to go away or
get taken over.

~~~
PinguTS
Why should my own domain taken over. It can be taken over as easily as someone
could take over my gmail.

I use my own domain on my own server with my own running mail server. Why
should someone take that over?

Of course someone with state level hacking experience could do that, but I am
not a target for those. Script kiddies have no luck, because you can't even
login from the Internet into my server you will need to VPN into first.

~~~
dewey
My point wasn't about how gmail is perfect but that things that are under your
control (domain you have to pay for, needs interaction from time to time) are
more fragile sometimes than if they are not (social security number isn't
going away).

------
jimmies
This domain hijacking idea reminds me of an incident with Google I discovered
a couple of years ago that landed me a bug bounty with them. I found out they
created email logins with a not-registered domain for their candidacy account.
I ended up registering that domain and "sold" it back to them in good faith.
At least I can die with a smile on my face -- I once sold Google a domain.

details: [http://www.tnhh.net/posts/gcandidate-who-is-interviewing-
wit...](http://www.tnhh.net/posts/gcandidate-who-is-interviewing-with-
google.html)

~~~
TwoBit
Did you get the job you were looking for?

------
superasn
Even though they show the starred email address and one of the suggestions is
not to show the email, I really hope people don't do that.

There is nothing more frustrating when you're recovering your password and the
site says we have sent you an email with no hint where and even worse
sometimes they say "if that email was in our records then you should get the
link" and you're wondering did that work and #1 worst is after making me solve
10 traffic lights and zebra crossings.

Because at that moment I feel it's just easier to start over and create a new
account.

~~~
ugexe
I don’t think you having to either A) remember what email you used or B)
creating a new account is a big ask when the alternative is leaking your
account presence on a given system. Not everyone wants other people to be able
to essentially query a given app for an email account.

~~~
reaperducer
The vast majority of people don't use the same e-mail address for their entire
lives.

~~~
superasn
You're right. An example use case.

Monitor having issues. Google solution. Land on a forum, but to see the full
post / solution it requires email registration. I register with a junk yahoo
type email address. Complete the long form, solve all the traffic lights, etc.
Then get the solution, make a few posts and probably forget about it.

Monitor having problem again after 2 years same forum but it says my very
unique username is taken. Now, I vaguely remember creating an account but
don't remember what email I used. I try to reset my password but dang, each
time it says "If that email was in our db you'll get it". If I get a hint I
used yahoo maybe I can resume and hopefully use my old account and some post
count than starting a 1 day old account with 0 post.

~~~
ugexe
So your idea is to always gives malicious actors additional information for
account take overs so you can use an account with a non zero post count (not
just non-zero, but only 1 or 2 as you insinuated)? Do you not see how naive
that is?

------
WA
This was a common way to harvest 6-digit ICQ numbers back in the day. Hotmail,
MSN etc. had expiring email addresses as well that you could register to reset
the password to the ICQ number.

~~~
ObsoleteNerd
Yeah this has been a common attack since as early as I can remember. Company
goes bust? Wait for their domain to expire then register/catch-all and start
seeing what mail you get from websites to see where there’s accounts using
that domain. Also plenty of more targeted methods too.

~~~
Thorrez
I wonder if it would be useful to use Have I Been Pwned to find a list of
accounts on websites using that domain.

------
Thorrez
> I believe it accounts for a large portion of stolen accounts/handles on the
> platform.

I doubt it's a large portion. It costs money for each hijacked account, and
custom domains I would assume are only used on a tiny fraction of accounts.
The vast majority of stolen accounts I would attribute to credential stuffing.

------
rickdeveloper
What would be a universal solution to this problem? The only thing I can
really think of is platforms not allowing custom domains for connected email
accounts, but that seems sub-optimal.

~~~
pazu
Instead of blocking custom domain email addresses outright, the site could
require a secondary recovery email address from an approved provider when an
email with a custom domain is used to create the account. Then any security
interaction like password reset, or 2fa would go to the primary address and
would send an alert to the secondary email address about the nature of the
communication. There could be a link in the email (sent to the secondary email
address) that could allow the user access to instantly lock the account and/or
disable access to the account from the primary email address until the user
updates thier settings. The secondary recovery email address should not be
able to be changed without an email confirmation (to the secondary email).

Good practice for users in general is to use email services like gmail as
thier login/account email and add thier custom domain emails in thier bio.

~~~
leonidasv
But what if the provider takes your account down? You end up with an
unrecoverable account.

------
jl6
This isn’t the workflow I see when trying the password reset process on an old
account that I’ve recently tried to recover. I’ve forgotten both the password
and the email address associated with the account, but I know the domain I
would have used, and I own it so I could easily prove ownership of the email
address if I knew what it was.

But when I click Forgot Password, it asks me for my username and also the
email address before I can continue.

How do you get the email address hint like the article shows?

~~~
stevenringo
I am also not seeing the behaviour that the OP describes.

------
blindm
One has to wonder about sustaining access to a compromised account. Twitter in
my experience has been very aggressive in asking to verify my account with a
phone number when logging in from shady locations / with a VPN. What if you
get access to an account using the method described in the article, but then
days later get locked out due to suspicious-looking behavior / you don't have
access to the phone number used to register the account?

~~~
paulpauper
you would remove the phone number after logging in. if it asks for the phone
when longing in initially , then you are SOL. to prevent this, the hacker
would make sure the location of the account matches the country of the IP
longing in.

------
ErikAugust
Anyone else have people sign up for accounts with your email address? I had
one recently where I could access a working GrubHub account for a while. And
in the spirit of lame on-boarding optimization and “churn” prevention, while I
could have used it - I couldn’t cancel the account. That required the phone
number associated.

~~~
iotku
I had someone create a spotify account on one of my emails with an old
(clearly burnt) password as the the username.

Why? I figure that's generally either for spamming or viewbotting (Re: likes,
stars, etc) purposes especially on sites that don't require email verification
to do things.

------
Fnoord
This is how I used to get all kind of old ICQ numbers back in the 90s. Hotmail
addresses, back then, used to expire.

Ironically enough, I've been vulnerable to the described attack afterwards as
I had my own domain, didn't use it much anymore, and gave it away (to a band
with the same nickname). Back then, a domain was pricey, and I was poor, so...

------
paulpauper
i dunno how this got to the front page. this is an extremely old vector and
not even that effective given the tiny, tiny likelihood of finding a domain or
account that works., It would actually be cheaper to buy an old twitter
account from someone who does not his account anymore legit, than try to go
through millions of accounts, which requires tons of proxies and other evasion
methods. Twitter is not easily searchable and neither is google. Twitter has
extreme rate-limiting measures, so you need a lot of proxies for this to work
and those cost money.

------
vmception
> This attack can potentially be executed on other platforms besides Twitter,
> assuming one can find a similar discovery method

You don’t need another discovery method after you take their Twitter account
and email :)

Only for targets not on twitter.

My point is that Twitter is probably enough.

But if you really just want to compare domain names that are expiring to email
addresses, you can just use one of those business bots that spammers,
recruiters and sales people use, and just check emails in their database to
domains expiring.

------
bdcravens
My wife and I started up a small reselling business, based on our name. The
dotcom for it was previously owned, but they let the domain lapse, but they
still have the Twitter account (that has the web address we now own in their
profile; they haven't posted since 2016). I tried an approach similar to the
article, but they apparently used Gmail to set it up. (I reached out to them
to buy it to no response; I assume that Twitter account has been orphaned)

~~~
vmception
time to add an underscore to the name

~~~
Lammy
Or maybe see if they Have Been Pwned in the past.

------
thdc
What if we could have services encrypt their emails sent to us via pgp? eg
Twitter (or anything else) asks for your public key and then sends all future
emails using it.

~~~
giomasce
Facebook does that if you add your key to your account.

------
tucif
I've thought about this in terms of people passing away and the domain no
longer being renewed afterwards.

10 years limit on domain registrations seems ridiculous, we need lifetime-span
registration capabilities, at least.

------
rootsudo
This has been standing practice for a while and is not connected to just
Twitter. Sometimes you can find public NDR's online via bug reports and such
and easily grab a service account.

------
palad1n
Heh. I did something like that:
[https://xach.livejournal.com/227751.html](https://xach.livejournal.com/227751.html)

------
Lammy
On the plus side, it's heartening to learn enough people use non-
GMail/Outlook/Yahoo/WhateverSilo email addresses to make such an attack viable
:)

------
homero
Didn't Yahoo close unused accounts at some point opening the doors to all
kinds of takeovers?

------
jcims
Curious what Twitter would do if this was contested later.

------
mobilio
If you get domain you can watch for mails from LinkedIn, Pinterest, Facebook,
Instagram and many more!

------
SR-71_Blackbird
Old news, this has been known for years.

