Twoo user takes revenge with script to spam users

Earlier this week, we investigated Twoo, a dating site that has forcibly taken all users of Q&A site flop (formerly Formspring) and converted their accounts into online dating profiles without warning.  In a new development, an angered user has created a script to truly spam Twoo users.


It comes as no surprise really that users are angry by the amount of spam Twoo is sending out.  What angers people more is that Twoo often apparently sends spam to not just its users but their friends too.  Indeed, reports dating as far back as 2012 show that users have been complaining of Twoo sending invitations to the unwanted dating profiles to their user’s contacts, seemingly by accessing their email address books.

After complaining that Twoo was spamming his friends, a user going by the name of Dhilipsiva took to Twitter to complain and state that he had deleted his account.

But of course, as we uncovered in our last article, Twoo doesn’t really delete accounts when they say they do.  Dhilipsiva was logically annoyed.  His data was being held hostage and his friends were being targetted with spam alleging he had chosen to message them.  Unfortunately for Twoo, Dhilipsiva is a full stack developer and DevOps engineer.  After looking at Twoo’s site, he realised just how incredibly easy it would be to exploit Twoo’s poorly designed “improved platform”.

Dhilipsiva was also shocked to find that it was his actual phone contacts being mined for invitations, his investigation showed that Twoo crawls every contact and sends them a message.

I was performing a Man-In-The-Middle attack on my own android phone and my own personal account and I saw that they are sucking up all me contacts to the cloud. Every single one. And I tried connecting with people who are already on Twoo, but they had sent messages to all my contacts.

His extremely simple script only needs the cookie details of any logged in user (and of course, it’s so easy to get a Twoo account, you probably already have one!).  Once done, his script simply goes to Twoo and starts grabbing profiles to send his message to.  It’s incredibly simple and shows how little Twoo cares about its users that they haven’t even implemented some form of captcha system to prevent such basic code.

Selection_010Twoo apparently got the message and got back to Dhilipsiva saying they had removed his account and asking if he could take down the script.  Which he did.  Until Geek Scot got in touch.  We asked Dhilipsiva about the exchange and told him about the investigation we had conducted so far, it was with great anger that he discovered what we had found about accounts not really being deleted and so found that his account was indeed, never deleted.

Actually, I just checked and my account is NOT deleted Yet. Dang! Lies again. I am attaching a screen shot of messages that were sent using the script.

Needless to say, the script was reposted on Dhilipsiva’s Github.  Perhaps Twoo will do the honourable thing now and actually secure their messaging platform and, maybe we’re asking a bit much here but, how about a change in business practices?  Maybe treat your user base with some respect and delete data as expected?  And just maybe, you should delete the data of the users who never asked to be a part of your platform.  It is worth noting that Twoo claims to be based in London on their Twitter profile, so the Data Protection Act does apply to them, requiring them to delete data properly when users request it.