OsintSupport Profile picture
Jan 12 6 tweets 2 min read
[#OSINT|#OPSEC|#DATALEAK] When you don’t renew a domain name that you use for email it creates the opportunity for a bad actor to take over accounts registered with email addresses at that domain.

1/
Dataleaks allow a bad actor to use this attack vector at scale. Exporting unique domains from the email addresses, filtering by occurrence then running a whois service over the top of them is low effort.

2/
A couple of years ago i spotted this with a senior developers Github account who was working at a well known tech company.

Generally speaking if you found a popular repo a bad actor could in theory introduce malicious code exploiting the dependency chain.

3/
With the recent #Twitter #dataleak this is again a real problem; I have seen verified accounts, high follower accounts, even accounts of influence which are exposed to this attack, if the email in the dataleak is still being used.

4/
I have been on the fence for a long time when it comes to talking about this attack vector, however threat actors i'm sure know about this method, where as the average person wont, therefor feel it's better to educate.

5/
When registering your own domain name and using it for email, unless you are committed to renewing, it might be wiser to use a free email provider like gmail for accounts you care about to preempt this in the future.

6/

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with OsintSupport

OsintSupport Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @OsintSupport

Nov 16, 2021
1/5 [#OSINT|#WORDPRESS] For anyone who's been following my previous tweets over the last few days, I'm going to show you how its possible to identify someone who's commented on Wordpress website by leveraging Gravatar and Email Address Hashing.
2/5 if we visit the following link, and scroll down to the bottom, we can see many users have engaged with the authors post as shown in the image below.

isitwp.com/display-commen…
3/5 Starting with "Erick" we want to copy the Url of his profile image and paste it in to notepad or something similar. We then want to identify the part which is the md5 hash of his email address. After "/" and before "?"
Read 5 tweets
Nov 14, 2021
1/6 [#OSINT] Gravatar is used by more than 200m users, the email address used to create your account is also hashed to create your unique profile url; which poses a massive privacy implication if you was to be able to reverse the MD5 hash but also creates an opportunity.
2/6 If you have a large enough collection of email addresses you could start by hashing every single one and storing them in a table. The more you have the greater the chance you have of being able to take a url of any Gravatar Profile and decoding the registered email address.
3/6 If you take a look at the url below you will see an example of the founders profile url being used. After hashing over 3+ billion email address i am able to lookup that hash in my table to receive the founders email address for that profile.

en.gravatar.com/site/implement… Image
Read 6 tweets
Nov 14, 2021
1/4 [#OSINT|#SOCMINT] Been a couple of months and almost forgot about the Research/PoC i was doing around the #GuntraderUK data leak.

Here is a FB Profile from one of the members which is pretty concerning especially if this individual keeps licensed firearms. Image
2/4 I did find more interesting posts/photo's on his timeline. A photo of him hunting with a shotgun by the looks of it and a photo/ad of a "Walther CP99 .177 Pistol" which was being advertised for sale. Image
3/4 I was able to find this profile pretty quickly after enriching all the email address's and phone numbers against a facebook dataset, then collecting all the pages on facebook these people like. I then looked at any profiles which followed pages around depression/suicide.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(