Twitter security team?

Ken_Gilmour · July 18, 2019, 6:45pm

Anyone on the list know how to contact the Twitter Security team?

Seems the new update allows an attacker to modify other people’s tweets. The “Hackerone” form for reporting a vulnerability is the wrong form and the “My account has been hacked” form is also the wrong form. The whole site has been compromised, I have evidence and can’t contact anyone due to the lack of an appropriate form and the fact that the security@ email address doesn’t work.

Thanks!

J_Hellenthal · July 18, 2019, 6:59pm

Yes/No ?

https://help.twitter.com/en/rules-and-policies/reporting-security-vulnerabilities

J_Hellenthal · July 18, 2019, 7:01pm

Or maybe a tweet to @twittersecurity

f93hbkzsjiihrpm2zn4n · July 18, 2019, 7:05pm

Why is Hacker one wrong? Seems like this would be exactly what it’s for.

Eric_Tykwinski · July 18, 2019, 7:06pm

They also have a bug bounty program on HackerOne:

From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of J. Hellenthal
via NANOG
Sent: Thursday, July 18, 2019 3:01 PM
To: Ken Gilmour
Cc: North Group
Subject: Re: Twitter security team?

Or maybe a tweet to @twittersecurity

>
>
> Yes/No ?
>
> https://help.twitter.com/en/rules-and-policies/reporting-security-
vulnerabilities
>
>>
>> Anyone on the list know how to contact the Twitter Security team?
>>
>> Seems the new update allows an attacker to modify other people's

tweets.

The "Hackerone" form for reporting a vulnerability is the wrong form and

the

Ken_Gilmour · July 18, 2019, 7:06pm

no

Gregori_Parker · July 18, 2019, 7:08pm

https://hackerone.com/twitter is the correct means to report

-G

Ken_Gilmour · July 18, 2019, 7:08pm

Because I didn’t find the vulnerability, I’m not looking for a bug bounty and I don’t know what the vulnerability is, just seeing the effects of it.

Rich_Kulawiec · July 18, 2019, 9:59pm

Of course I'm not surprised that the ignorant newbies running Twitter
can't manage this: who wouldn't be, given their atrocious track record?
But for everyone else:

[ engage soapbox ]

RFC 2142 was published in 1997, and most of the role addresses it
specifies were in relatively common use prior to that.

Yet -- nearly every day -- this list carries traffic from someone
attempting to help/warn/etc. some allegedly professional operation
that has its fingers firmly lodged in its ears in a desperate attempt
to prevent basic communication and expects people who are already
trying to provide them with free consulting services to jump through
various annoying hoops in order to do so.

RTFRFC, folks, and implement it. It's operations 101. It's something you
should have done in the first hour of the first day, before you turned on
the rest of your stuff. It's not hard. And when a day like this comes
for your operation, which it will, it may save you considerable pain,
time, and/or money.

[ soapbox off - for now ]

---rsk