Pinterest Stumbleupon Whatsapp
Ads by Google

Your Twitter posts can tell me where you live.

If you still think the buzz around Internet privacy is a joke, maybe this will jog your senses. We’ve already established that you can’t be anonymous on the Internet Can You Really Be Anonymous Online? Can You Really Be Anonymous Online? We all have things we'd rather not tell the world about. I think it's time we clear up a few things about anonymity online -- and answer once and for all, whether it's really possible. Read More , yet some continue to believe otherwise. Yes, you’re still vulnerable even if you’re careful about what you share Online Privacy: Do You Share Too Much Information? Online Privacy: Do You Share Too Much Information? Sharing has always been a prominent part of what the Internet is and how it functions. And with social networks exploding in popularity in the past several years, sharing is probably the one aspect we... Read More , especially if you’re on Twitter.

There’s a free script called Tinfoleak which can pull an alarming amount of information about any Twitter user based simply on their profile and their tweets. Let me show you how it works.

Setting Up Tinfoleak

Tinfoleak is nothing more than a lone Python script, making it available on pretty much any system. You won’t need to learn Python programming The 5 Best Websites To Learn Python Programming The 5 Best Websites To Learn Python Programming Over the past decade, the Python programming language has exploded in popularity amongst programmers in all areas of coding. From web developers to video game designers to in-house tool creators, many people have fallen in... Read More to make use of it but knowing the language can help if you intend to modify the script in any way.

Note: As far as I can tell, Tinfoleak is not explicitly licensed under any particular open source license Open Source Software Licenses: Which Should You Use? Open Source Software Licenses: Which Should You Use? Did you know that not all open source licenses are the same? Read More . If you know which license it uses, please let us know.

tinfoleak-twitter-logo

Ads by Google

First, you need to download and install Python. You can find platform-specific instructions on the Python site itself.

Be sure to install Python 2.7 as Python 3.x is not yet supported by Tweepy, a Python library which we also need.

Next, you need to download and install Tweepy, which allows Python scripts an easy way to interface with Twitter’s API. You don’t need to know how to use Tweepy; just install it before continuing.

Instructions for that can be found on the Tweepy project page.

Lastly, you’ll want to grab Tinfoleak itself. Download it here, unpack it using a program like 7-Zip 7Zip - A Free Program to Unzip Uncommon Archive Formats 7Zip - A Free Program to Unzip Uncommon Archive Formats Read More , and put it anywhere you want – even right on the desktop. Edit the tinfoleak.py file using your text editor of choice and fill out your Twitter Dev OAuth credentials.

What I Found Using Tinfoleak

Now that Tinfoleak is set up and ready to go, let’s look at what this bad boy can do. With the command prompt, I just navigate to the script and run:

python ./tinfoleak.py

tinfoleak-overview

We’re presented with a whole lot of parameter options that we can use to make Tinfoleak do what we want. It’s a bit confusing at first so let’s just run through it with a few quick examples on my own account, @carbonduck.

python ./tinfoleak.py -n carbonduck -b

tinfoleak-basic

The -n parameter signifies which Twitter account we want to explore, which is carbonduck in this case. The following -b parameter means we’re only interested in basic account details.

Right away, we can see some nifty things – such as my account creation date and my total number of tweets and followers – but nothing too interesting yet.

python ./tinfoleak.py -n carbonduck -s

tinfoleak-apps

The -s parameter is used to look at the Twitter apps being used by the account. I’m not a big app user so the results are boring, but I’m sure there are a few scenarios in which it could be fun or useful to peek at someone’s Twitter apps.

What else can we do?

python ./tinfoleak.py -n carbonduck -h

tinfoleak-hashtags

Here’s a rundown of all the hashtags I’ve used, which can be obtained with the -h parameter. Based on this, you could accuse me of using the shotgun tactic of cramming too many hashtags #RandomDoesntCutIt: How To Choose The Right Hashtag For Your Tweet #RandomDoesntCutIt: How To Choose The Right Hashtag For Your Tweet Hashtags have become something of an integral element in today's social media but so many people misuse, abuse them, or simply don't know how to choose the right one. Read More per tweet and you’d be right. You got me.

It’s hard to think of a scenario in which knowing someone’s choice of hashtags could be used against them in a harmful way, but it does allow you to get a quick glimpse into their psyche and their topics of interest.

python ./tinfoleak.py -n carbonduck -m

tinfoleak-mentions

The -m parameter lets you pull every single mention made by the user. Who are they talking to and how often are they talking to them? This is how you can find out.

Again, none of this is too nefarious so far, especially when you consider that all of this information is already publicly available just by browsing Twitter, but it’s a bit unsettling that it can all be made available in mere seconds, isn’t it?

python ./tinfoleak.py -n carbonduck -g

tinfoleak-geolocation

Finally, we get to the most interesting aspect of Tinfoleak: the -g parameter which grabs geolocation data based on the Twitter With Location feature when posting tweets.

If you didn’t know, Twitter lets you add your location into your tweets. Depending on your account settings and the Twitter client 6 Of The Best Free Desktop Twitter Clients [Windows & Mac] 6 Of The Best Free Desktop Twitter Clients [Windows & Mac] These 6 free desktop Twitter clients will allow you to interact with all of Twitter’s goodness without having to pop open a new browser tab. These programs run in the background and continually update with... Read More you’re using, your tweets can include anything from city-and-state information up to exact latitude-and-longitude coordinates (which you can see in the screenshot above).

If you’re at home and naively posting your location with your tweets, someone could very well peek at your coordinates and find out where you live. Spooky.

python ./tinfoleak.py -n carbonduck -p 1

tinfoleak-pictures

Here’s the other interesting feature that comes with some frightening implications. The -p parameter allows you to procedurally download every picture that appears in the user’s tweet history.

This should be a red flag for those of you who upload a lot of pictures to Twitter. How would you feel if someone out there could effortlessly download every single one of them without your knowledge? Again, it’s not like it was impossible before, but “effortlessly” is the key word here.

python ./tinfoleak.py -n carbonduck -t

python ./tinfoleak.py -n carbonduck -c 1000

python ./tinfoleak.py -n carbonduck -f word

python ./tinfoleak.py -n carbonduck –sdate YYYY/MM/DD

python ./tinfoleak.py -n carbonduck –edate YYYY/MM/DD

python ./tinfoleak.py -n carbonduck –stime HH:MM:SS

python ./tinfoleak.py -n carbonduck –etime HH:MM:SS

These are some extra options and filters that you can use to narrow down the tweets that are explored by Tinfoleak:

  • -t enables timestamps in the results output.
  • -c indicates how many tweets you want to search. Default is 100.
  • -f only searches through tweets that include word.
  • –sdate indicates the starting date for searching through tweets.
  • –edate indicates the ending date for searching through tweets.
  • –stime indicates the starting time for searching through tweets.
  • –etime indicates the ending time for searching through tweets.

Protecting Yourself Against Tinfoleak

The “problem” with Tinfoleak is that it’s a perfectly legitimate tool. All it does is leverage the Twitter API to quickly retrieve data that’s already available to the public. The only real defense is to deactivate your Twitter account, though your data itself will still be available for up to 30 days afterwards.

Otherwise, your protection options are somewhat limited.

The most important thing is to opt out of location-based tweets:

  • Go to your Twitter settings.
  • Click on Security and Privacy.
  • Uncheck the “Add a location to my Tweets” option.
  • Click “Delete all location information”.

In order to delete pictures, you’ll need to delete the tweets that contain those pictures. To do that, you’ll probably want to use a service that procedurally deletes tweets rather than going through them by hand.

Or if you want to go to the extreme, you could annihilate your online persona How To Make Yourself Disappear Online Completely How To Make Yourself Disappear Online Completely If you're looking to drop from the Webosphere completely in an attempt to remain anonymous, we can help. Read More instead.

What do you think? Does such deep access to your past tweets worry you or do you think it’s nothing to fret about? Share your thoughts with us by posting a comment below.

  1. Geoff
    December 28, 2015 at 6:12 pm

    I can't work all this out, can someone run this Twitter handle and let me know the result
    @jack729060631

  2. Vicente Aguilera Díaz
    March 23, 2015 at 1:32 pm

    Hi Joel,

    A new version of Tinfoleak is available! This version includes a lot of new features and functionalities.

    You can download Tinfoleak from here:
    http://www.isecauditors.com/herramientas

    and from my personal website:
    http://www.vicenteaguileradiaz.com/tools/

    Notes about this version (sorry, only in spanish at this moment), here:
    http://blog.isecauditors.com/2015/03/nueva-version-de-tinfoleak-lista-para-descargar.html

    Regards!

  3. Vicente Aguilera Diaz
    October 16, 2014 at 7:11 pm

    Hi Joel,

    Great post! Thank's to talk about my Tinfoleak tool.

    In November I will publish a new version of this tool with a lot of interesting functions.

    Regards.

    • Joel Lee
      October 18, 2014 at 6:37 pm

      Hey Vicente! Tinfoleak is awesome and useful, thanks for creating it. I look forward to the new version.

  4. Lurker
    October 15, 2014 at 8:19 pm

    Meh, I am a lurker so I don't have any pics on Twitter and have already erased and blocked all location info.

    • Joel Lee
      October 18, 2014 at 6:37 pm

      Then you should be fine for the most part. :)

Leave a Reply

Your email address will not be published. Required fields are marked *