Your Twitter posts can tell me where you live.
If you still think the buzz around Internet privacy is a joke, maybe this will jog your senses. We’ve already established that you can’t be anonymous on the Internet, yet some continue to believe otherwise. Yes, you’re still vulnerable even if you’re careful about what you share, especially if you’re on Twitter.
There’s a free script called Tinfoleak which can pull an alarming amount of information about any Twitter user based simply on their profile and their tweets. Let me show you how it works.
Setting Up Tinfoleak
Tinfoleak is nothing more than a lone Python script, making it available on pretty much any system. You won’t need to learn Python programming to make use of it but knowing the language can help if you intend to modify the script in any way.
Note: As far as I can tell, Tinfoleak is not explicitly licensed under any particular open source license. If you know which license it uses, please let us know.
First, you need to download and install Python. You can find platform-specific instructions on the Python site itself.
Be sure to install Python 2.7 as Python 3.x is not yet supported by Tweepy, a Python library which we also need.
Next, you need to download and install Tweepy, which allows Python scripts an easy way to interface with Twitter’s API. You don’t need to know how to use Tweepy; just install it before continuing.
Instructions for that can be found on the Tweepy project page.
Lastly, you’ll want to grab Tinfoleak itself. Download it here, unpack it using a program like 7-Zip, and put it anywhere you want – even right on the desktop. Edit the tinfoleak.py file using your text editor of choice and fill out your Twitter Dev OAuth credentials.
What I Found Using Tinfoleak
Now that Tinfoleak is set up and ready to go, let’s look at what this bad boy can do. With the command prompt, I just navigate to the script and run:
We’re presented with a whole lot of parameter options that we can use to make Tinfoleak do what we want. It’s a bit confusing at first so let’s just run through it with a few quick examples on my own account, @carbonduck.
python ./tinfoleak.py -n carbonduck -b
The -n parameter signifies which Twitter account we want to explore, which is carbonduck in this case. The following -b parameter means we’re only interested in basic account details.
Right away, we can see some nifty things – such as my account creation date and my total number of tweets and followers – but nothing too interesting yet.
python ./tinfoleak.py -n carbonduck -s
The -s parameter is used to look at the Twitter apps being used by the account. I’m not a big app user so the results are boring, but I’m sure there are a few scenarios in which it could be fun or useful to peek at someone’s Twitter apps.
What else can we do?
python ./tinfoleak.py -n carbonduck -h
Here’s a rundown of all the hashtags I’ve used, which can be obtained with the -h parameter. Based on this, you could accuse me of using the shotgun tactic of cramming too many hashtags per tweet and you’d be right. You got me.
It’s hard to think of a scenario in which knowing someone’s choice of hashtags could be used against them in a harmful way, but it does allow you to get a quick glimpse into their psyche and their topics of interest.
python ./tinfoleak.py -n carbonduck -m
The -m parameter lets you pull every single mention made by the user. Who are they talking to and how often are they talking to them? This is how you can find out.
Again, none of this is too nefarious so far, especially when you consider that all of this information is already publicly available just by browsing Twitter, but it’s a bit unsettling that it can all be made available in mere seconds, isn’t it?
python ./tinfoleak.py -n carbonduck -g
Finally, we get to the most interesting aspect of Tinfoleak: the -g parameter which grabs geolocation data based on the Twitter With Location feature when posting tweets.
If you didn’t know, Twitter lets you add your location into your tweets. Depending on your account settings and the Twitter client you’re using, your tweets can include anything from city-and-state information up to exact latitude-and-longitude coordinates (which you can see in the screenshot above).
If you’re at home and naively posting your location with your tweets, someone could very well peek at your coordinates and find out where you live. Spooky.
python ./tinfoleak.py -n carbonduck -p 1
Here’s the other interesting feature that comes with some frightening implications. The -p parameter allows you to procedurally download every picture that appears in the user’s tweet history.
This should be a red flag for those of you who upload a lot of pictures to Twitter. How would you feel if someone out there could effortlessly download every single one of them without your knowledge? Again, it’s not like it was impossible before, but “effortlessly” is the key word here.
python ./tinfoleak.py -n carbonduck -t
python ./tinfoleak.py -n carbonduck -c 1000
python ./tinfoleak.py -n carbonduck -f word
python ./tinfoleak.py -n carbonduck –sdate YYYY/MM/DD
python ./tinfoleak.py -n carbonduck –edate YYYY/MM/DD
python ./tinfoleak.py -n carbonduck –stime HH:MM:SS
python ./tinfoleak.py -n carbonduck –etime HH:MM:SS
These are some extra options and filters that you can use to narrow down the tweets that are explored by Tinfoleak:
- -t enables timestamps in the results output.
- -c indicates how many tweets you want to search. Default is 100.
- -f only searches through tweets that include word.
- –sdate indicates the starting date for searching through tweets.
- –edate indicates the ending date for searching through tweets.
- –stime indicates the starting time for searching through tweets.
- –etime indicates the ending time for searching through tweets.
Protecting Yourself Against Tinfoleak
The “problem” with Tinfoleak is that it’s a perfectly legitimate tool. All it does is leverage the Twitter API to quickly retrieve data that’s already available to the public. The only real defense is to deactivate your Twitter account, though your data itself will still be available for up to 30 days afterwards.
Otherwise, your protection options are somewhat limited.
The most important thing is to opt out of location-based tweets:
- Go to your Twitter settings.
- Click on Security and Privacy.
- Uncheck the “Add a location to my Tweets” option.
- Click “Delete all location information”.
In order to delete pictures, you’ll need to delete the tweets that contain those pictures. To do that, you’ll probably want to use a service that procedurally deletes tweets rather than going through them by hand.
Or if you want to go to the extreme, you could annihilate your online persona instead.
What do you think? Does such deep access to your past tweets worry you or do you think it’s nothing to fret about? Share your thoughts with us by posting a comment below.