Wednesday, June 01, 2011

A Twitter/Yfrog Exploit Allowed Unauthorized Postings on Rep. Weiner's Account?

The whole kerfuffle and smear campaign against Rep. Anthony Weiner (D-NY)  just gets more interesting. Cannonfire and Milowent have apparently found a way to duplicate how the image of a man's torso and penis was ostensibly sent from Weiner's Twitter account. For starters it would appear that Yfrog has no security (or is leaky) to the point that anyone can not only share images, but place images in the directories of other people even if the other person has password protection on their account.

That kind of arrangement makes it real easy to share images, but also inevitable allows for all manner of mischief - such as what apparently happened with Rep. Weiner's account.

Kudos to Milowent and others who figured this out and showed conclusively that it doesn't require hacking to make it appear that someone sent images or "hacked" the account.

(c) Cannonfire
More to the point here's the key graf:
Please understand that I have never sent a single tweet in my entire life.The first two instances were created automatically, when I uploaded those first two test pictures to Yfrog (as outlined in previous posts). The third instance was created when milowent sent a pic to my Yfrog address.
Both the tweet and the image seem to originate with me, but they did not.
Thankfully I don't have a Yfrog account (and until now, never knew that such a thing existed), and my twitterings are usually quite tame text links, comments etc.

Whoever did this attempted the framing of a Congressman with lewd photos, and it would take a review of the IP addresses at Yfrog and Twitter to confirm that this happened.

Those who are proffering the original tweet and photo as proof of Rep. Weiner's misconduct are engaging in propaganda and attempting to delegitimize the Congressman as part of a smear campaign. It's a high tech attempt, and those responsible for spreading the smear might have gotten away with it except for the fact that others have managed to duplicate the manner in which the item was placed into Weiner's accounts - without actually hacking into the accounts.

No comments: