Pages

Jump to bottom

20 comments

1 Only The Lurker Knows  Wed, Jun 1, 2011 9:58:15pm

You ought to forward a link to this page to the Idiots over at Yfrog who seem to believe they don't have a problem.

2 Slumbering Behemoth Stinks  Wed, Jun 1, 2011 10:08:04pm

re: #1 Bubblehead II

Hell, forward it to Rep. Weiner's legal team.

Nice work, Captain.

3 Dark_Falcon  Wed, Jun 1, 2011 10:08:40pm

Good catch and thanks for doing this.

4 ElCapitanAmerica  Wed, Jun 1, 2011 10:12:28pm

Feel free to share and post your yfrog generated "word" here, specially if you have disabled your yfrog account (revoked permissions) and don't post your twitter name or email.

5 OhCrapIHaveACrushOnSarahPalin  Wed, Jun 1, 2011 10:13:07pm

Congrats, Capitan.

6 ElCapitanAmerica  Wed, Jun 1, 2011 10:25:57pm

As mentioned by Charles, facebook uses a similar "feature". However, at least from looking at my own account, the email address is a bit more complicated, with more than one word and a numeric combination.

Still, I rather this be a feature you can turn off. You can send messages to your facebook without a password (well, unless you consider an email address a password) via email (from any account) or MMS (from any phone).

7 Only The Lurker Knows  Wed, Jun 1, 2011 10:28:26pm

One has to wonder if this is going to turn into another "memogate" type of situation?

8 Slumbering Behemoth Stinks  Wed, Jun 1, 2011 10:36:49pm

re: #7 Bubblehead II

It does have "throbbing" written all over it.
/I feel dirty now.

9 ElCapitanAmerica  Wed, Jun 1, 2011 11:06:26pm

Now you get an "email posting" disabled message ... I wonder if they'll try to re-enable this feature, hopefully not.
Image: email-posting-disabled.png

10 Alexzander  Thu, Jun 2, 2011 12:12:23am

Good research.

Here is a possible complication: All of your given email addresses were the same, with the addition of a period. It is possible that the yfrog generated word is based off of one's email address. Hence the proximity of all of the given generated words. For completeness's sake, you should test radically different email addresses.

11 ElCapitanAmerica  Thu, Jun 2, 2011 12:54:39am

re: #10 Alexzander

Good point, however the last 3 emails are very dissimilar (although 2 of them are gmail addresses too). So the "personal_twitter2" account (that's not the real name of the account) is actually the one that matches with the word "lusion", see lines 1 and 27.

12 Obdicut  Thu, Jun 2, 2011 3:09:43am

re: #10 Alexzander

He did.

13 CuriousLurker  Thu, Jun 2, 2011 4:38:17am

Excellent page—thanks.

14 CuriousLurker  Thu, Jun 2, 2011 5:53:54am

I'd like to point out that it also wouldn't hurt to enable the "always use HTTPS" feature if you tweet using your browser. You'll find the option in your account setting at the very bottom, after the media & privacy settings:

Twitter HTTPS option

15 ElCapitanAmerica  Thu, Jun 2, 2011 7:33:39am

OK, a little update.

Several people have reacted to this post with the following argument:

Guessing the yfrog email wouldn't work because yfrog would lock down and disable the post by MMS/email feature as soon as it detected 3 failed emails for your twitter name.

Well, they could have done this and I didn't try to flood my test accounts with dozens of invalid email addresses. However before this test, I did try to send *exactly* 3 invalid emails to my main twitter account. Then the 4th message (with the correct email address) worked.

I think it's unfortunate that people are claiming this when they really didn't try it. I'm pretty sure they wouldn't do this for 3 failed attempts. Could they have been doing it for 4, 10, 50? Don't know.

If they did do this however, then it could prove very annoying to legitimate users though. It would mean all I'd have to do to disable MMS posting is to flood an account with random words (with a few emails) and voila, I just locked you out.

I was also "challenged" by somebody on twitter to post an image to their account. First, I'd rather not, I would rather test on one of my own accounts. But more importantly, you can't try this as of last night because the feature has been disabled.

These are the facts. If you have technical arguments to refute them, and can be backed up by evidence, please let me know but if you want to guess what yfrog does I can't really help you much there.

16 Obdicut  Thu, Jun 2, 2011 8:20:07am

re: #15 ElCapitanAmerica

I'd just like to note that if the lockout time was anything at all short, this would just mean the hack would take longer to work. Given that there seems to be a dictionary, the permutations are not actually that high. If you got locked out for every 10 attempts for one hour, that's still 240 attempts a day, 1,680 a week. It took you 27 attempts to do it.

17 eightyfiv  Thu, Jun 2, 2011 11:53:40am

Good stuff. Wow, those are low-entropy "nonces". Lunacy.
Even if they weren't using a stupid algorithm or a fixed dictionary, requiring phonetic plausibility drastically reduces the variability and hence increases the crackability, meaning you need to about double the length of your passwords -- a short, memorable 5-8 character word is hopelessly tiny. The whole idea here is broken.

18 eightyfiv  Thu, Jun 2, 2011 12:26:09pm

Actually... Given that it took you about 25 tries to find two duplicate nonce words, we can very roughly estimate the total size of the dictionary of possibilities -- it's the well-known birthday problem. You should expect to find your first duplicate around when the probability of having one hits on the order of 50%. How many distinct possibilities do there need to be for 50% probability at around 25 samples? It's about 450 (on the order of 25^2). Amusingly, this is almost identical to the 23 people needed for an expected 50% chance of a duplicate birthday!

I'm sure a statistics buff could give a more rigorous analysis, but roughtly speaking, at the leisurely pace of 1-2 guesses a day, it would take about a year to break someone's account. FAIL.

19 ElCapitanAmerica  Thu, Jun 2, 2011 2:40:06pm

re: #18 eightyfiv

Interesting, the more you analyze it the simpler it seems.

I'm very curious to see if they enable this "service" back up, and if they do, what new scheme they will use and what they'd do with the existing users.

The reasonable thing is to avoid this feature in the first place.

20 ElCapitanAmerica  Thu, Jun 2, 2011 7:38:49pm

yfrog is not being very honest about the current situation, issue security statement;

[Link: littlegreenfootballs.com...]


This page has been archived.
Comments are closed.

Jump to top

Create a PageThis is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.
Or... you can just click this button to open the Pages posting window right away.
Last updated: 2016-01-01 10:29 am PST
LGF User's Guide RSS Feeds Tweet

Help support Little Green Footballs!

Subscribe now for ad-free access!Register and sign in to a free LGF account before subscribing, and your ad-free access will be automatically enabled.

Donate with
PayPal
Square Cash Shop at amazon
as an LGF Associate!
Recent PagesClick to refresh
The Smiths - How Soon Is Now? (Official Music Video) Watch the official music video for "How Soon Is Now"Amazon: po.stiTunes: po.stGoogle: po.stFacebook: po.st "How Soon Is Now?" was originally a B-side of the 1984 single "William, It Was Really Nothing". "How Soon Is Now?" was featured on the ...
Thanos
12 hours, 16 minutes ago
Views: 135 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
2017 Hurricanes and Aerosols Simulation This is fascinating, I recommend full screen How can you see the atmosphere? By tracking what is carried on the wind. Tiny aerosol particles such as smoke, dust, and sea salt are transported across the globe, making visible weather ...
Thanos
15 hours, 57 minutes ago
Views: 123 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Incredibles 2 Official Teaser Trailer The teaser trailer for "Incredibles 2" is here. Disney/Pixar's "Incredibles 2" opens in theatres in 3D June 15th, 2018. Everyone’s favorite family of superheroes is back in “Incredibles 2” – but this time Helen (voice of Holly Hunter) is ...
Thanos
1 day, 14 hours ago
Views: 214 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Deadpool’s “Wet on Wet” Teaser After surviving a near fatal bovine attack, a disfigured cafeteria chef (Wade Wilson) struggles to fulfill his dream of becoming Mayberry’s hottest bartender while also learning to cope with his lost sense of taste. Searching to regain his spice ...
Thanos
3 days, 15 hours ago
Views: 461 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Voice of America Reporter Outed as Alt-Right However, using information Fatzick himself posted on Reddit — including his age, girlfriend’s name, former employers, friends, location, educational background, and sports affiliations — this reporter was able to tie the vile posts of UncleSam4200 to the Voice of ...
Thanos
5 days, 5 hours ago
Views: 620 • Comments: 3 • Rating: 2
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Gary Clark Jr - Come Together (Official Music Video) [From the Justice League Movie Soundtrack] Official Video for "Come Together" by Gary Clark Jr. featured in the Justice League Movie trailer. In theaters November 17th 2017.Directed by Kris Merc Get the song now at garyclarkjr.com Check out the Justice League soundtrack here: lnk.to Follow ...
Thanos
1 week ago
Views: 585 • Comments: 1 • Rating: 2
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Kimbra - Top of the World (Official Music Video)New from Kimbra The new single Top of the World is available now on Apple Music, Spotify, Google Play, and more. Get the single here - kmbra.me The new studio album Primal Heart out wwide January 19th, 2018Preorder now - ...
Thanos
1 week, 1 day ago
Views: 621 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
The Barr Brothers - Song That I Heard (Live on KEXP) kexp.org presents The Barr Brothers performing "Song That I Heard" live at Breakglass Studios during POP Montreal 2017. Recorded September 16, 2017. Audio Engineer: James BenjaminCameras: Jim Beckmann, Ian Cameron & Scott HolpainenEditor: Jim Beckmann kexp.orgpopmontreal.combreakglass.ca With support from ...
Thanos
1 week, 2 days ago
Views: 694 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0
Left Cries Foul, but Electoral College Prevents Tyranny of the Majority I'm speechless...this is what we have to fight against: Image: constitution-1486010_960_720.jpg Author: Paul Jenkins(Paul Jenkins is editor of the anchoragedailyplanet.com, a division of Porcaro Communications) The political left and its mouthpiece, The New York Times, are still fuming over ...
Cheechako
1 week, 2 days ago
Views: 843 • Comments: 2 • Rating: 3
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Tune-Yards - Look at Your Hands (Official Video) 'Look at Your Hands' by Tune-Yards. New album 'I can feel you creep into my private life' is released January 19th 2018: smarturl.it Video by Michael SpeedFootage by Marisa Gesualdi & Jennifer SommerAdditional photos by Nate Brenner, Ginger Fierstein ...
Thanos
1 week, 4 days ago
Views: 955 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0