Tweetdeleter.com has been hacked (public version)

[Kevin Beaumont 87]

As ID'd by @Rachael Stos-Gale, popular (1 million+ users) site tweetdeleter.com has been hacked/serving malicious content.

When you first visit you get prompted to enable "Global auth" app, written by "erasetweet.com" (a blank GoDaddy landing page).

When you authorise it, it embeds content from mklpserver.com - a domain first registered in last 24 hours. The Twitter permissions allow the website to access yours and others tweets.

Looking at Cisco Umbrella, it has a very high amount of lookups and appears to be involved in multiple compromises.

DNS lookups:

Original TLP Rainbow thread for members: https://opensecurity.global/forums/topic/137-tweetdeletercom-seems-to-be-hacked/

Multiple attempts have been made to contact the website owners.

I strongly suggest people remove Tweetdeleter, "Global auth" and erasetweet from their Twitter authorised apps.

Here's how to see which apps have permission to access your Twitter account:

• Visit Twitter. On the left hand side, look for "More.." then click "Settings and privacy".
• Click "Account -> Apps and sesions" in the sidebar on the left side of the screen to view all of the apps that have access to your Twitter account.
• Review the list of apps and what permissions they have (read, write, and direct messages access, for example), and click "Revoke Access" for any applications or web services.

 

[Kevin Beaumont 87]

TweetDeleter has been suspended from Twitter  

Their app has also been removed by Twitter. That was “Global Auth” and may have had access via other services, too  

Their website claims they had access to 1.7m accounts. 

[Kevin Beaumont 87]

I'm not sure if they have Google AdSense embedded into their post login screen, but it looks like that domain is linked to some Google advertising Javascript code: