Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Kevin Beaumont

Tweetdeleter.com has been hacked (public version)

Recommended Posts

As ID'd by @Rachael Stos-Gale, popular (1 million+ users) site tweetdeleter.com has been hacked/serving malicious content.

When you first visit you get prompted to enable "Global auth" app, written by "erasetweet.com" (a blank GoDaddy landing page).

image.png.f9a7e1c40dcb860c37ddc9414eb7eb4f.png

When you authorise it, it embeds content from mklpserver.com - a domain first registered in last 24 hours. The Twitter permissions allow the website to access yours and others tweets.

Looking at Cisco Umbrella, it has a very high amount of lookups and appears to be involved in multiple compromises.

DNS lookups:

image.thumb.png.4652a615ae973c0d63faca8981eef3eb.png

Original TLP Rainbow thread for members: https://opensecurity.global/forums/topic/137-tweetdeletercom-seems-to-be-hacked/

Multiple attempts have been made to contact the website owners.

I strongly suggest people remove Tweetdeleter, "Global auth" and erasetweet from their Twitter authorised apps.

Here's how to see which apps have permission to access your Twitter account:

  • Visit Twitter. On the left hand side, look for "More.." then click "Settings and privacy".
  • Click "Account -> Apps and sesions" in the sidebar on the left side of the screen to view all of the apps that have access to your Twitter account.
  • Review the list of apps and what permissions they have (read, write, and direct messages access, for example), and click "Revoke Access" for any applications or web services.

 

  • Like 1
  • Thanks 1

Share this post


Link to post

TweetDeleter has been suspended from Twitter  

Their app has also been removed by Twitter. That was “Global Auth” and may have had access via other services, too  

Their website claims they had access to 1.7m accounts. 

1AA811BB-85A4-4097-B1C3-5C8E1C68762E.jpeg

Share this post


Link to post

I'm not sure if they have Google AdSense embedded into their post login screen, but it looks like that domain is linked to some Google advertising Javascript code:

image.thumb.png.092e7b38dee4de3512d07aa75c6ce75f.png

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy