Anyone on the list know how to contact the Twitter Security team? Seems the new update allows an attacker to modify other people's tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and the "My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work. Thanks!
Yes/No ? https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabil...
On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
Anyone on the list know how to contact the Twitter Security team?
Seems the new update allows an attacker to modify other people's tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and the "My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
Thanks!
Or maybe a tweet to @twittersecurity
On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
Yes/No ?
https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabil...
On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
Anyone on the list know how to contact the Twitter Security team?
Seems the new update allows an attacker to modify other people's tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and the "My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
Thanks!
Why is Hacker one wrong? Seems like this would be exactly what it's for. On Thu, Jul 18, 2019, 3:04 PM J. Hellenthal via NANOG <nanog@nanog.org> wrote:
Or maybe a tweet to @twittersecurity
On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
Yes/No ?
https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabil...
On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
Anyone on the list know how to contact the Twitter Security team?
Seems the new update allows an attacker to modify other people's
tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and the "My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
Thanks!
Because I didn't find the vulnerability, I'm not looking for a bug bounty and I don't know what the vulnerability is, just seeing the effects of it. On Thu, 18 Jul 2019 at 13:06, Ross Tajvar <ross@tajvar.io> wrote:
Why is Hacker one wrong? Seems like this would be exactly what it's for.
On Thu, Jul 18, 2019, 3:04 PM J. Hellenthal via NANOG <nanog@nanog.org> wrote:
Or maybe a tweet to @twittersecurity
On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
Yes/No ?
https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabil...
On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
Anyone on the list know how to contact the Twitter Security team?
Seems the new update allows an attacker to modify other people's
tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and the "My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
Thanks!
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of J. Hellenthal via NANOG Sent: Thursday, July 18, 2019 3:01 PM To: Ken Gilmour Cc: North Group Subject: Re: Twitter security team?
Or maybe a tweet to @twittersecurity
On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
Yes/No ?
https://help.twitter.com/en/rules-and-policies/reporting-security- vulnerabilities
On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
Anyone on the list know how to contact the Twitter Security team?
Seems the new update allows an attacker to modify other people's tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and
They also have a bug bounty program on HackerOne: https://hackerone.com/twitter the
"My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
Thanks!
https://hackerone.com/twitter is the correct means to report -G On Thu, Jul 18, 2019 at 2:04 PM J. Hellenthal via NANOG <nanog@nanog.org> wrote:
Or maybe a tweet to @twittersecurity
On Jul 18, 2019, at 13:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
Yes/No ?
https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabil...
On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
Anyone on the list know how to contact the Twitter Security team?
Seems the new update allows an attacker to modify other people's
tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and the "My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
Thanks!
no On Thu, 18 Jul 2019 at 12:59, J. Hellenthal <jhellenthal@dataix.net> wrote:
Yes/No ?
https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabil...
On Jul 18, 2019, at 13:45, Ken Gilmour <ken.gilmour@gmail.com> wrote:
Anyone on the list know how to contact the Twitter Security team?
Seems the new update allows an attacker to modify other people's tweets. The "Hackerone" form for reporting a vulnerability is the wrong form and the "My account has been hacked" form is also the wrong form. The whole site has been compromised, I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
Thanks!
On Thu, Jul 18, 2019 at 12:45:25PM -0600, Ken Gilmour wrote:
I have evidence and can't contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn't work.
Of course I'm not surprised that the ignorant newbies running Twitter can't manage this: who wouldn't be, given their atrocious track record? But for everyone else: [ engage soapbox ] RFC 2142 was published in 1997, and most of the role addresses it specifies were in relatively common use prior to that. Yet -- nearly every day -- this list carries traffic from someone attempting to help/warn/etc. some allegedly professional operation that has its fingers firmly lodged in its ears in a desperate attempt to prevent basic communication and expects people who are already trying to provide them with free consulting services to jump through various annoying hoops in order to do so. RTFRFC, folks, and implement it. It's operations 101. It's something you should have done in the first hour of the first day, before you turned on the rest of your stuff. It's not hard. And when a day like this comes for your operation, which it will, it may save you considerable pain, time, and/or money. [ soapbox off - for now ;) ] ---rsk
participants (6)
-
Eric Tykwinski
-
Gregori Parker
-
J. Hellenthal
-
Ken Gilmour
-
Rich Kulawiec
-
Ross Tajvar