Exclusive: Twitter Bots Caught Clandestinely Logging The Private Messages of Their Users

The other day a friend of mine was telling me to get off of Twitter and talk to him elsewhere, because “Twitter is a database for the Feds” and they were worried about what might happen to them if anyone found out their real life identity. While I thought he was just being paranoid at the time, I guess I should have known better because last night I stumbled onto 100% verifiable proof that Twitter is secretly logging the private conversations/messages of at least some of their users -myself included.

The incident occurred the night of January 13th 2019 during a conversation I was having with “Nama Tikure” via Twitter messenger. We were discussing various topics at the time, including spear phishing techniques and styles. He asked me the question, if I were going to launch an offensive to take down a Government agency, how would I go about doing so? To which I explained to him that I would probably just attempt to target the secretary of a politician via spear phishing attack, because it’s their job to process a lot of email in a short period of time and unlike the politicians themselves, are less likely to have strict security measures implemented on their computers/devices.

I explained to him that if I were going to conduct a spear phishing attack against the Greek parliament, for example, I would spear phish the secretaries of various offices affiliated with it. I told him that over the years I have also developed a means to create an un-traceable trap link that could be used to log anyone’s IP Addresses – that will also pass every single security scan you could put the link through. So, as a demonstration, I thought about showing him an example of what it would look like – but decided against doing so at the last second.

Example: https://roguesecuritylabs.ltd/totally-wont-nab-your-IP 😜

However, the interesting thing about all of this was that, despite never pressing “enter” on the chat or sending/sharing the message, and deleting the URL almost as fast as I typed it in, turns out the trap link was magically clicked on approximately 21 times in a 17 second time period – all by four different IP ranges. As a demonstration, below you can literally see the bots clicking on the link I was creating in live time as I was creating it.

IP Ranges Logged: 199.59.150.80 – 199.59.150.183

No photo description available.

No photo description available.

No photo description available.

Entering all of these IP ranges onto a simple WHOIS reverse DNS search reveals that these particular IP ranges all belong to Twitter themselves – presumably hidden web bots working behind the scenes to gather data. Putting this into context though, this means that there are Twitter bots working behind the scenes in the middle of private conversation, secretly logging every last little detail about it – whilst also clandestinely interacting with any/all links contained within it. For reasons that should be obvious to see, this represents a serious violation of user privacy and data collection.

It also makes me wonder if this was happening to me, how prevalent of a feature is this? How much information is Twitter secretly logging from its users, and to what end? For whom is Twitter even collecting this information for? What are they doing with the data they collect? Are they selling it to interested third parties? Who inside the company has access to the logs of private conversations? Are there any safeguards in place to prevent abuses of user data/privacy? Rogue Security Labs has reached out to Twitter support and developers asking these very questions, but as of the afternoon January 15th 2019 has yet to receive a response.

Keep checking back for more information should they ever respond.

Researcher Uses Google Search Strings To Uncover 1,000’s of Active Government Issued ID’s, Passports & More

An online cyber security researcher going by the name of Fabio Castro in Brasil has just disclosed a serious vulnerability attached to the Google search engine. In research revealed via his Twitter page earlier today, January 10th 2019, Mr. Castro has revealed that if you enter a certain string of the right characters and symbols onto a Google search, you are essentially able to nab different portions, sections, folders, files or databases perhaps you otherwise shouldn’t.

As a proof of concept (PoC), Mr. Castro entered the following string onto Google this morning “intitle.”index of / “passport” and managed to stumble across countless international photo Id’s, Passports, Drivers Licenses and the like through Google images. While the exact number exposed is impossible to quantify, we could be talking about thousands upon thousands of active Government issued ID’s compromised by this glitch/vulnerability all across the world. For example, Mr. Castro has already admitted to maliciously downloading documents for himself – primarily targeting Brasilian drivers licenses.

After thinking for a while about how this sort of thing could have happened and after analyzing the URL structure tied to the photo’s leaked onto Googles servers, it is my professional opinion that this is a glitch resulting from Google web bots and crawlers. For example, nearly every Government or corporate website in the world is attached to Google‘s search engine on one level or another, meaning that the site has been indexed to be crawled by Google‘s various artificial intelligence web bots – seemingly at random.

Now, unless you are a security 🤓 like me, or don’t have insanely strict firewall rules, you might not realize how much Google actually attempts to “learn” about any/every website located on the ClearNet. For example, every once and a while Rogue Security Labs manages to catch Google‘s web bots attempting to crawl/index things they should have no business learning – such as my site’s json files. Tying things together, especially given the developments of today, I am also willing to bet that none of this is an isolated process, and Google‘s bots have either been intentionally configured to or accidentally reconfigured to crawl various file systems across the web – there’s no telling which really, only Google developers know that answer.

For Example:

No photo description available.

No photo description available.

No photo description available.

If you do not block these bots or employ strict enough rules on your firewall, then Google will do anything and everything it can to index everything on it – seemingly with no abandon whatsoever. After thinking about it for long enough and after piecing some more information together in my head, unfortunately, this appears to be a variation of the same exact bug/vulnerability leading to the death of 30 Clandestine CIA agents in Iran last November.

For those of you whom do not remember, as was first reported by Yahoo News on November 2nd 2018, Iranian agents managed to enter different search strings together on Google‘s search engine, leading hackers directly to site pages attached to the back-end of “secret” websites used by various CIA agents/operatives to coordinate, communicate and exchange messages with one another. For example, a later report revealed that a search comprising of the words “CIA secret website login” really did lead hackers to web pages of undercover operatives – web pages that hackers were then able to Brute-Force and/or hack. Later reports revealed that undercover agents in China were also able to compromise undercover operatives by similar hacks/vulnerabilities throughout the course of 2009 – 2013, leading to the deaths of dozens more.

Honestly, there really is no easy fix to this problem. If you are one of the websites effected, considering that Google has already indexed the web pages and files in question, Google would have to audit its own systems and servers to remove them manually. If you are a website owner looking to build your site in the future, then either hire Rogue Security Labs to manage your website security or learn how to build and employ stricter firewall rules yourself. The only way to prevent Google from indexing your site is by blocking different web bots/crawlers from doing so. It is such an advanced problem that is so easily exploited – that’s the real problem here.

On a side note, considering that I was one point a Clandestine agent in waiting and literally wrote the book how to keep an Anonymous identity online, I am quite frankly dumbfounded that agents actually employed by the CIA were dumb enough to coordinate with each other and Government offices on the ClearNet, nevermind on an unsecure website located on the ClearNet to boot- that’s just a literal face palm to me. But then again, I’m the one the CIA choose not to hire – so I guess that’s their problem. Well done America.