Wednesday, May 12, 2010

A Dictionary Attack for Twitter

A dictionary attack is an attempt to crack a password by trying a list of logical passwords from a list of commonly used dictionary words.

Today, I'm pleased to release a dictionary attack which can obtain the password of Twitter users. The program itself is entirely free and legal. It should not be used illegally. I am not releasing the source code to it at this time.

There are two flaws with this dictionary attack. 1)Like the bruteforce attacks I released for Twitter, this program does not stop trying passwords once it finds the correct one. So you will need to watch the Twitter account of your victim. When the victims account tweets the tweet you wanted it to tweet, stop the program and view the LOG file it outputs to figure what password it used was the right one. 2)The dictionary list included with this program is not very good. A lot of the passwords in it are actually too short to be Twitter passwords >_<. If anyone can make or find a better list, let me know and I'll update the release with it.

If you're a concerned Twitter user over the vulnerability of your password, just put a number in your password and this attack will not be able to obtain your password. However, other and future Twitter attacks will be able to (until Twitter fixes the flaws in their system of course).

Finally, note that this release can obtain most passwords which do not use numbers within a weeks time. It can not obtain any passwords which contain numbers. It is overall much faster than the bruteforcers I have released previously due to the nature of dictionary attacks.

You can download the dictionary attack here.

You can view my previously released Twitter attacks here.

If you have any questions regarding the content of this post, feel free to leave a comment, join me in #arikadosblog on EFNET, post in our forums, tweet to me, or send me an e-mail at

Lastly, if you can, please donate to my college fund using the chip-in widget on the right-hand side of this blog.


  1. You can get a really good dictionary at The words are sorted by length, so you can easily remove the ones that are too short.

    Also, how do you do this without being accused of attempting a DoS attack or someone noticing that you're trying to crack a password?

  2. Have you thought about using john the ripper to mangle your dictionary file and pipe the output to your program? (similar to using john + aircrack)

  3. You failed on all level. Releasing a lame dictionary attack tool against twitter is a new low. Why would anyone donate to a person of such low morals. Any future employer reading this will think twice about hiring you.

  4. @Anonymous AKA Len
    Actually, you failed on every level ranging from your incorrect grammar to your entirely incorrect point.