Monday, August 26, 2013

Twitter spy on you via TwitterBot, shadows every click you make



After the Leaks of Edward Snowden regards the spying of US Govt. on people of US, now something like this revealed about twitter by a privacy expert Alexander Hanff from Poland, he says that twitter is chasing you on every link click of t.co and Direct Messages that you send others privately.
Alexander reports on his official blog that Twitter shadows every click you make?
Explanation of Alexander’s report:
Alexander was in fond of a project in which he will be able to see his site visitors without retaining any information which might be considered as private, identifying or could be used to track them; these statistics are important for attracting sponsors, he also wanted to know where his users are coming from without retaining their IP address – so for this stuff to get work he installed a module for Apache called GeoIP which allows him to see from which country a visitor is coming on his website from based on their IP address, without actually having to store their IP address.
Then, Alexander set up his own server on his local network which is not addressable from the outside world and therefore GeoIP doesn’t work correctly – so he uploaded his script to his production web server and set up a temporary web site in Apache to check that the correct data was being saved to the database.The website was new which Alexander set up and no incoming links from public over there, so he didn’t bother changing the default Apache log configuration, which means the log was capturing all the usual data including User Agent string, IP Address and much more
After this Alexander sent the following link via a DM in TweetDeck (He has multiple twitter accounts, he sent DM to his own twitter account)

http://mydomain.com/stats.php?ref=twitter

The purpose of the ref string at the end of the URL was to test that it was recorded in the database because he need to restore some log data relating to his sponsors. The output of his script looks like this:



The Results above created in this form:
RowID » TimeStamp » Requested Page » Country Code
The results above are the actual results from his database and his country code is PL so you can see from the result that row 11 and 13 were visits from his computer, however, rows 8, 9, 10 and 12 all have the country code US. Rows 8 – 10 were created immediately after he sent the DM to his Twitter account from TweetDeck.
Alexander also stated that he don’t have the actual twitter account, he sent the DM to set up in TweetDeck yet but he did have the account open in one of his browsers so he clicked on that URL in the DM (See row11 in the list above, it’s from Poland) but 4 Entries over their were from US since the URL was private and had never been made public. So he checked his Apache access logs and there he could see that for each of the US rows, one of Twitter’s servers using IP 199.16.156.126 identifying itself as Twitterbot/1.0 had sent a GET request to the URL (including the extra URL parameters “?ref=twitter”.
Are you still confused what’s the problem above, below are the points:
The URL we post via a DM is supposed to be private
They didn’t look for robots.txt (regarded as the polite thing for robots to do)
They went straight to the URL which could have contained private information that they were not supposed to see and they made a copy of that page (via a GET request).
Back in June this year, Alexander already filed a complaint with the European Commission over concerns that Twitter was able to track user clicks via their t.co URL shortener without explicit consent – which is a breach of EU privacy regulations; this is now proven to be true through the evidence above.
Alexander also asked twitter safety team about this issue and yet to recieve a response from them, we will update this article later if twitter reply him.

SOURCE

0 comments: