Deep Inspection of Online Personas

Thu, 29 Jan 2009 18:17:49 GMT

I found myself a new online toy. It is called Pipl and it is all about finding people online. Obviously, the concept behind the tool is not new. There are other tools that does the same, but this one is incredible accurate and verbose. It is a must toy in the arsenal of any serious penetration tester/attacker.

Of course, I went ahead and looked up several people I know and various security researchers, etc. The stuff it returned were unbelievable: facebook accounts, myspace, flickr, twitter and whatnot.

Anyway... The tool is also very AJAXy and it seams that it could be easily scripted.

Morgan StoreyMorgan Storey
Pretty good find, I seem to remember something about this from a while ago and recall trying it and it wasn't that good. But this is good for a pre-liminary information gathering, then you can learn nicknames etc and do some google fu.
.mario.mario
The problem with all those scraping estates is the value of information vs. the lack of security. Pipl and most other people scraper are highly vulnerable against XSS, Markup Injections and the so called DOM Redressing issues... Same with trust-ability. Temporary manipulation is as well possible as manipulation of the persistent search results by creating accounts with names similar to the victim's name. Hopefully those issues get somehow patched to avoid having the web flooded with false information about oneself. If possible at all - how to fix things broken by design?