
How to send DMs on Twitter without permission - brodd
https://homakov.blogspot.com/2013/12/how-to-send-dm-on-twitter-wo-permission.html
======
chaz
> I wrote a full disclosure post 5 minutes after finding the bug because
> twitter doesn't reward "bounty hunters".

Companies without bug bounties don't deserve responsible disclosure? Twitter
has a pretty clear way to reach them, and recognition is given on their page.
If recognition isn't sufficient for responsible disclosure, how much money
would be enough? I think bug bounty programs are great, but I don't think they
should be mandatory.

[https://about.twitter.com/company/security](https://about.twitter.com/company/security)

~~~
doughj3
> Companies without bug bounties don't deserve responsible disclosure?

That seems to be homakov's view, yes, and I can't say I don't understand his
view.

~~~
md224
Of course you understand it, but do you agree with it?

If you seek out bugs in a company's code with the expectation that you'll be
rewarded for it, and then the company fails to reward you, I can see that it
might be perceived as unfair, especially if the company indicated that such an
expectation was reasonable.

If you happen across a bug in a company's code, and then publicize it because
they aren't going to pay you money for it, that seems a little more like
"blackmail." People really shouldn't orient their moral systems around money.

~~~
drewcrawford
Well given that homakov has found this bug, there are a few possibilities:

A. Homakov could do nothing. This leaves Twitter in the same state that it is
now, but it if everybody did this, it is likely that nefarious people would
find and exploit bugs in Twitter

B. Homakov could donate his time, as a skilled and highly-trained professional
consultant, to a $32bn publicly-traded company

C. Homakov could practice full disclosure

This isn't even close to blackmail. This is a security consultant publishing a
vulnerability that he discovered on his own time, that apparently Twitter's
internal security team missed. That might be embarrassing for Twitter, but
tha'ts hardly homakov's problem as a third party.

~~~
md224
> This isn't even close to blackmail. This is a security consultant publishing
> a vulnerability that he discovered on his own time, that apparently
> Twitter's internal security team missed. That might be embarrassing for
> Twitter, but that's hardly homakov's problem as a third party.

Perhaps "blackmail" was too harsh a word. A better analog might be discovering
a business left their back door unlocked. Do you announce it to the entire
neighborhood because the business doesn't give out "security prizes," or do
you attempt to notify the employees? That seems like the point of responsible
disclosure.

~~~
drewcrawford
Well I think we are blurring two different issues here. The first question is
whether or not full disclosure is acceptable. The second question is whether
or not it is acceptable to choose it because one is not being paid.

As far as full disclosure being acceptable, there are a lot of advocates. For
example Bruce Schneier, Leonard Rose, and others. Not to mention that this
issue isn't in a high impact category like remote code execution, loss of
data, privacy, etc. It's also difficult to exploit; it requires authorizing a
malicious app. So for all those reasons separately, and certainly all of them
together, I think full disclosure is a completely acceptable choice.

Given that it is acceptable, is it still acceptable to do it if it furthers
our own interests? Again, I think the answer is yes. The fact it is in my
interest does not make an acceptable action into an unacceptable one.

You seem to be hung up on the fact that the researcher here was not
particularly nice to Twitter. But people are under no obligation to be nice.
It would be nice if you sent me a check for $200. But you won't, because
there's no obligation to do that. And you and I--two strangers arguing with
each other on the Internet--have a much stronger relationship than this
researcher has with Twitter.

------
jxf
People in various forums (a couple on HN, SO, Egor's blog, Twitter itself)
seem to be saying something like "this isn't really a bug".

It's definitely a bug. Twitter requires clients to ask for the DM permission
before they can send DMs. With Egor's approach, clients can privilege-escalate
themselves to send DMs even if they never asked for that permission (although
they still need to be authorized to send tweets).

Also, even worse, Twitter doesn't consider it a bug, according to the person
who originally reported it (who was not Egor):
[https://twitter.com/DaKnObCS/status/411869431036653568](https://twitter.com/DaKnObCS/status/411869431036653568)

And here's a response from Ben Ward, the Twitter web lead:
[https://twitter.com/benward/status/411924515459850240](https://twitter.com/benward/status/411924515459850240)

~~~
jkrems
Read the API docs, only reading DMs needs a special permission, POST direct
message only needs the permissions that writing a "normal" tweet would.
There's no bug here. Maybe a confusing security model, but no bug.

------
gkoberger
This is the same guy who hacked GitHub (and Rails) with the multiple
assignment hack, among other things.

~~~
Kiro
homakov is as famous as PG on HN.

~~~
larrys
Where is he "as famous"?

On HN? Or somewhere else (if so where?) where he is "as famous as PG on HN".

If you mean he is as famous on HN as PG is on HN I don't think that is the
case.

~~~
flebron
He means that the following are equivalent:

* How famous PG is in HN

* How famous homakov is in HN

~~~
JetSpiegel
Who is PG? Parental Guidance?

~~~
GeneralList
Close.

~~~
onedev
I suppose you can say he is a sort of Parental Guidance for HN.

------
edent
It only allows you to send DMs to those users you can already message - which
is a small mercy.

This part of Twitter's "Get Better" problem - where they've allowed SMS
commands to be activated via non-SMS interfaces -
[http://techcrunch.com/2012/05/26/twitter-get-
better/](http://techcrunch.com/2012/05/26/twitter-get-better/)

Of course, it doesn't help that Twitter's permissions system is really poorly
thought out. An app which only wants to read your Tweets also has WRITE access
as well.

~~~
homakov
So twitter should replace R&W DM to just R DM permission, because W DM comes
automatically with R&W Tweets. Isn't it.. so wrong?

------
xs_kid
Isn't a bug according to twitter employers:

[http://twitter.com/jmhodges/status/411975535703511040](http://twitter.com/jmhodges/status/411975535703511040)

------
bcardarella
the 'd' syntax for sending DMs has been around from nearly the beginning (or
from the actual beginning?) of Twitter. That in itself is not a bug. However,
Twitter should be stripping that leading 'd' from anything that is reposting
or from a 3rd party OAauth session.

~~~
TillE
It's not a bug per se, but it's certainly a hideous misfeature to have ever
had that kind of input parsing except on the SMS interface to Twitter. It's
just completely unnecessary.

~~~
TazeTSchnitzel
This isn't the first bug to be found because of it!

------
adelevie
Not sure how many hours go into finding these sorts of vulnerabilities, but
his rate of $150/hour[1] seems like a steal compared to the lost revenues he
can prevent.

[1] [http://www.sakurity.com/](http://www.sakurity.com/)

~~~
iloveponies
On the flip side, Homakov personally has incredibly bad OPSEC practices which
would make me think twice for using him. There's a correlation between what
you pay and what you might get.

~~~
TheCowboy
What do you even mean to have "incredibly bad OPSEC practices"? Without an
explanation, your comment comes across as more unnecessary snark, which
unfortunately isn't uncommon in threads that remark upon Homakov, or on HN in
general.

~~~
iloveponies
[https://twitter.com/homakov/status/387805705669206016](https://twitter.com/homakov/status/387805705669206016)
[https://twitter.com/homakov/status/345544666483130368](https://twitter.com/homakov/status/345544666483130368)
[https://twitter.com/homakov/status/218630370231451648](https://twitter.com/homakov/status/218630370231451648)

~~~
homakov
I am not trying to hide my real name. If you need my ID just ask.

------
jcutrell
This is in line with a long laundry list of horribleness about user experience
as related to DMs in my opinion. They don't work as expected, and quite
honestly to me it feels like Twitter is running a campaign to destroy peoples'
love of the DM in search of a Solution, maybe in preparation for a dm 2.0 or
something.

Some of the experience elements of DM have been fixed on the iPhone, but last
I checked, the problems on web desktop made me so annoyed that I stopped using
DMs altogether.

~~~
homakov
Taking into account this bug and twitter's response - they don't differ DMs
from tweets much. Privateness of DM doesn't mean it to them what it means to
us.

------
mergy
Come over to App.net. It will be a while before the masses ruin that.

Free invite link >>
[https://join.app.net/from/fjjgdclsjq](https://join.app.net/from/fjjgdclsjq)

~~~
joelandren
Oh, I don't think you have to worry about the masses ever ruining App.net

~~~
onedev
I think I'll avoid it as well. I wouldn't want to accidentally ruin it.

