If you looked at the political blogosphere today you likely noticed that the prevailing RepWeiner tweet theory of the day is coming from a blog called Cannonfire. The theory is that Congressman Weiner's account was spoofed through yfrog's mobile e-mail upload system. You've probably seen this feature on other services as well, it's not uncommon, but in case you're not familiar, the idea is that you can send an e-mail to your online account and it'll automatically turn that e-mail's subject line into a tweet. And if you have an image attached to the mail, it'll upload the image for you and add the link to the tweet as well.
Anyone who knows your secret e-mail address can send messages through your account this way. So the theory goes that someone figured out the congressman's secret address and essentially impersonated him, sending the now-infamous photo of dubious work safety to that poor gal near Seattle.
The question I had, then, was how difficult it was to know someone else's secret e-mail account. It turns out yfrog had already reserved an account for me by virtue of the fact that I have a Twitter account. Logging into the account with your Twitter login provides you with an automatically generated secret e-mail address. From the general discussion of the theory we've learned that the format is TwitterName.*****@yfrog.com - with the ***** being some combination of randomly not-so-randomly generated letters (sometimes five four, sometimes more). Try as I might with my own example, I couldn't find any external indication of that random combination of letters.
But of course, generating random letter combinations with a little computer program is pretty elemental - something Friend-Of-Maddow-Show @Sarking pointed out as she watched me scratching my virtual head. And sending e-mails with randomly generated characters.... well, ever heard of spam?
Minutes later...
She figured out other Friend-Of-Maddow-Show @roomerholmes's yfrog e-mail name and Weinered him. Or is it Weinered me? Aaaanyway, you get the idea. Not too hard.
IMPORTANT CONSIDERATIONS: The participants in this experiment are buds and willingly involved.
Also, @roomerholmes had given us a clue about his secret letter combination already so @sarking didn't need a script (a program); she just did it manually. But doing it with a script would be like switching to a calculator from long hand. Not much different, still not hard.
Oops, one more consideration: None of this is meant to say anything conclusive about Congressman Weiner's case. There's no proof of the spoof in this. It was just to play with the idea of posting to someone else's Twitter through their yfrog account.
**updated 6/2 with new info from the comments.
*** 6/6: Looks like this turned out to be a purely academic exercise.
Leave a Comment:
I just gotta say....@sarking and @roomerholmes are made of win and awesome.
heh. I never felt like this so-called "hack" was very much of one. ps I'm the guy who got hacked.
GO SaRa!She would figure this all out.
And now the rest of the #maddow 'verse knows how cute she is.
This comment sums it up.
Also miss you on twitter ;-)
Thank you. I hope to maybe come back someday. But still feeling very put out.
So true! :D
Oh, just one more little thing for the #Maddow staff- SaRa (@sarking) is the one from the Hucka-Clippy segment, so her name is Kennedy, not King ;)
Kebbers- you're famous
-bro-n-law
She's the cutest hacker since Acid Burn.
YES! THIS!
@roomerholmes had given us a clue about his secret letter combination already so @sarking didn't need a script (a program); she just did it manually
You must be joking. That's not what Rachel said on the air. Talk about misleading...
That's actually exactly what she said. This is from the show script:
<blockquote>
As one of our viewers pointed out today, it's not all that hard to generate a program that would try every possible combination using your name until you get the right email address. That viewer-- who tweets as Sarking-- mimicked that process today.
</blockquote>
mimicked that process. As in xxxxx1, xxxxx2, xxxxx3, xxxxx4 which is exactly what the script would do.
Random character stings are supposed to be over 40 characters long because of this hack.
The following is not complete (i.e.: won't work) but would run on a Linux or UNIX box with mail routing enabled if it were complete.
This gives an idea how simple these are to create.
Hey was he actually on the live show when it got posted?
I admit I did give a clue to @sarking. But if you read the Cannonfire blog, and understand how simple it is to write a script that tries every letter combo (merely adding 5 letters to your twitter username), it illustrates how elementary this hack is.
You don't have to do a full blown brute force attack, and the word can be a bit longer than 5 words. However the words are easy to figure out;
http://littlegreenfootballs.com/page/248630_yfrog_secret_email_addresses_a
Isn't this also a form of identity theft? Just because YOU call it a HACK doesn't make it so. That's like saying "I just hacked your credit card and used it, no big deal." Am I wrong?
well hacking is still illegal (thankfully) in most instances. But you are correct that, that subtle linguistic change certainly makes a difference in how people understand what happened. I mean what's the difference between a hack that's meant to be a prank and, as in your example, a hack that's meant to steal something valuable (in your example's case, money)?
This makes no sense. "[S]ome combination of randomly generated letters (sometimes five, sometimes more)." Hmmm. There are 26 letters in the alphabet. Let's assume it can be 5 to 7 letters. 26^5+26^6+27^7=8,352,607,328. Assuming that a script can test 1000 of these combinations a second, it would take over 96 days to run through all the combinations. I just don't understand how this is possible.
sure it does. Patriotusa76 aka Dan Wolfe has been hinting about Weiner's alleged sex scandal with young girls for nearly two months. You wouldn't need all 96 days, 46ish is more than reasonable. Now I'm no hacker so I don't know if someone needs to monitor the script 24/7, but I not, it fits. Crucial time frame well.
This is what I think as well. You'd have to just let it run.
@VegasDude: 1000 test per second is peanuts to a computer made after 1990. Putting that minor piece of bad argumentation on your part aside...
You're also making a bad assumption that this would be tested on a single machine. If the perp had ten computers, and split the workload between them. Bam: the time frame drops to 9 days. For $1000 you can buy a kit that will create a computer virus to do just about anything you want. The number one purpose for infecting computers: turning them into zombie machines that send out spam. How long would a single account take to hack then?
modern processors could easily run 1000's of floating point operations a second. It's running these calculations that overclocker's use to stress-test their settings.
on another note: thats the exact same way someone would "hack" into an encrypted wifi network, by running through every possible combination of letters/numbers allowed for the encryption key until one works.
The yfrog "secret email" is a lot easier to figure out than you think. I hit a repeated "secret" word after 27 tries, and I bet I would have hit more by the time I tried at least 100 accounts, the patterns are obvious.
http://littlegreenfootballs.com/page/248630_yfrog_secret_email_addresses_a
Once the testing program is created, it does not have to run until all possible combinations are tested, just until it finds the right one.
@AnonymousBastard Wow, that's amazing. Why the heck would they use a system like that?
i did the first experiment of the yfrog "exploit" documented on cannonfire's blog. his yfrog code and 2 others i did today were all five characters in length. all three of the passwords were like captchas in that they seemed to be like real words, e.g., cannonfire's was "gudom". the other 2 also had vowels in the 2nd and 4th slot just like this. this suggests the number of combinations that you'd need to test to learn the code are fewer than a raw brute-force would require.
I know I replied to you on Twitter, but I want to reply here, too, just to note I had the codes I know have same pattern: 5 characters, vowels at spots 2 and 4.
Yep. The secret words are easy to figure out. They're either coming from a really smallish dictionary or semi randomly generated by mixing up some static post fixes ... more here;
http://littlegreenfootballs.com/page/248630_yfrog_secret_email_addresses_a
I've checked 5 twitter accounts. yFrog "hidden words" range from 5 to 10 characters long. Also, yFrog blocks e-mail posting after 3 wrong tries.
@PoliticalMath
yfrog wasn't locking anything after 3 wrong tries. I tried 2 wrong emails 1 and wrong MMS to the same twitter account (so wrong words after the dot) and was able to post exactly at the 4th email (with valid address of course).
I did this yesterday BEFORE they turned off the feature or I posted the common strings they use.
I updated my post here with some information on this, but I'd love to see how you got this "3 tries" thing to work because that wasn't the case in my testing.
Did anyone here actually try to enter the wrong email address more than once? I did and yFrog blocks you out after 3 wrong tries.
Add that to the fact that that the words can range from 5 letters to 10 letters and you have a system that is basically impossible to run the kind of brute force hack that the authors are talking about. It's not a matter of using a calculator because the calculator breaks after the third try.
Of course, if they had actually made an honest effort to really hack a yFrog account, they would know this.
She changed e-mail addresses.
I did change e-mail accounts, but not because I got blocked. I was worried gmail would disable my actual e-mail address, so after the 7th try with that, I made a hotmail account I didn't care about. I made at least 4 more attempts with that account (I don't want to say exactly how many, lest someone else guess roomerholmes' code) and didn't get blocked then, either.
It's possible, of course, that they have increased security since I tried.
I tried about 3 wrong appended words and didn't see it being locked.
Can't test now as they've disabled the whole insecure feature now.
yfrog email posting is currently disabled.
http://i89.photobucket.com/albums/k225/milowent/disabled11-55et6-1-2011.jpg
Worth pointing out: The very oldest yfrog accounts have only 4-digit (i.e. numeric) magic nonce numbers.
Please read the CannonFire account before spouting off: http://cannonfire.blogspot.com/2011/06/weiner-affair-close-to-solution-but-i.html
This is how easy it is to figure out the "secret" emails;
http://littlegreenfootballs.com/page/248630_yfrog_secret_email_addresses_a
Jeez, you guys work too hard at all of this. Weiner's too smart to do something that would obviously cost him his job. End of case.
I think the evidence of Weiner's innocence is inherent in the identity of the accuser. If Brickbat (Breitbart) is involved, the whole thing is a pile of elephant dung somewhere around thirty feet deep and ninety feet around. Yeah--that's a LOT of elephant feces.
Had it been just any Democrat Congressman I would wonder about their guilt. Weiner is outspoken, intelligent and is a threat to certain people who are trying to get lies to fly. This had to be a planned plot to discredit him. You know the right will stop at nothing to win. They just keep coming up with new ways to fight dirty. I bet Breitbart knows the truth. It wouldn't be the first time he was behind a false accusation. There are other ways to hack into an account other than a script. If it was that easy this would be a very common problem. This hacker was really good.
yfrog may have increased it's security after flap broke, and hackers can be hired to break in pretty easily.
breitbart little saboteurs have been tragically efective at using lies to crush well meaning prgressive efforts. destroying acorn was their little plot.
the democrats need to take breitbart attacks super seriously or expect to be destroyed.
yfrog's increased security measures are to show the email address only on the settings page (they used to show it to the logged in user all over the place), and for now they've disabled this feature (MMS and email posting).
Ok - I don't 'tweet' and have NO interest in taking it up ~ but I REALLY want to know what ANY Congress-person does THAT IS CONSTRUCTIVE with our tax dollars that pay his salary ~ with Twitter.
This whole business of 'following' another on twitter appears to me such a WASTE of Time AND Productivity.
Seriously ~
Unless these congress persons are informing 'followers' of bills and important issues that are being considered and asking you, the twitter followers, to rally and call your legislative representatives for support ~ WHAT is the Purpose??
The TIME spent by our generously paid Representatives to Follow (READ and Comment upon) random comments by random twitter account users ~ appears to be at the least, A Serious Waste of Time AND a Serious Distraction to getting real stuff done ~ Real Accomplishment and as in this case AN EVEN Greater waste of time and resources ~ as some folks are now going to have to take MORE Time and Expense (possibly Expensive Legal costs, that all of US will get stuck with) to Untangle this story.
IMO ~ Unless this 'social networking format' has some REAL Benefit, ie: provides Real and Material benefit to us as taxpayers and constituents ~ why am I paying this Congressman or any other for his time, while he plays around on his portable device???
Leave 'Twitter' and such time-suck ~ to hollywood Celebrities
When I write my State Reps or the Whitehouse with REAL suggestions ~ I try to form Full intelligent thoughts, constructive argument (and real Sentences) AND I use www.whitehouse.gov/contact .... (etc.)
btw ~ I'm a fan of Anthony Weiner ~ NOT a Fan on (or of) Twitter
Yeah, because hearing from his constituents, you know those silly little people he WORKS for, is such a stupid mindless waste of time. Right?
OK, so someone spoofs his account(s) and posts an image - which I haven't seen. It is either him or not or a Photoshop original. Why Weiner doesn't come clean about the weiner in question is beyond me. This is a story to nowhere, while the jackasses in charge leave the oil subsidies intact and clamor on and on about tax breaks for the wealthy - some of whom already get refunds on their ZERO payments and the debt ceiling! Will all of you who were rejected for Leno's, "Jay Walking," please wake up!
Proof? yfrog has disabled the feature:
Meh. got cut off...anyways story on Daily Kos and Little Green Footballs about yfrog feature disabled....