b-sides las vegas - social network security

Twitter API Hacks Unicorns

Damon P. CortesiAlchemy Security, LLC

Social Networking, Raping the Twitter API, the Age Before Firewalls/Unicorns and the Pitfalls of Rapid Application Development -- Crowd-sourced version. ;)

@dacort

A Twistory of Security #fail

April 2008

•CSRF (via @McGrewSecurity)

July 2008

•Staging Server + SQL Debug

Fix

•Require Basic Auth

•Limit by IP

•Don’t expose to web

#FAIL

•Basic Auth not enabled on HTTPS

November 2008•TwitterRank “scam”

Password Security5 5

Minutes Minutes LaterLater

December 2008•XSS in newly deployed user search

December 2008•Information Disclosure

Vulnerability

•Any site could determine your Twitter username via nifty RESTful API and JSON callbacks. #buzzwords

Retrieve Username

$.getJSON("http://twitter.com/statuses/user_timeline?count=1&callback=?", function(data) { alert("Username is: " + data[0].user.screen_name) });

{"text":"Pretty sure humans have kneecaps so we can slam them into tables. *ow*","truncated":false,"user":{"following":null,"time_zone":"Pacific Time (US & Canada)","description":"Prof. Computer Security Consultant with a passion for breaking things and generating statistics (see http:\/\/tweetstats.com

and http:\/\/ratemytalk.com).","screen_name":"dacort","utc_offset":-28800,"profile_sidebar_border_color":"87bc44","notifications":null,"created_at":"Thu Dec 21 07:14:05 +0000 2006","profile_text_color":"000000","url":"http:\/\/dcortesi.com","name":"Damon Cortesi","statuses_count":21385,"profile_background_image_url":"http:\/\/static.twitter.com\/images\/themes\/theme1\/bg.gif","followers_count":4441,"protected":false,"profile_link_color":"A100FF","profile_background_tile":false,"friends_count":1775,"profile_background_color":"000000","verified":false,"favourites_count":202,"profile_image_url":"http:\/\/s3.amazonaws.com\/twitter_production\/profile_images\/90802743\/Famous_Glasses_normal.jpg","location":"Seattle, WA","id":99723,"profile_sidebar_fill_color":"e0ff92"},"in_reply_to_status_id":null,"created_at":"Mon Jul 27 21:37:53 +0000 2009","in_reply_to_user_id":null,"favorited":false,"in_reply_to_screen_name":null,"id":2877957719,"source":"<a href=\"http:\/\/www.atebits.com\/\">Tweetie<\/a>"}

Courtesy of @harper

January 2009•Twitter admin interface

compromised

•Publicly accessible

•Logins tied to employee Twitter accounts

•Not to mention...

•“happiness”

March 2009

•Information disclosure

•Account restoration

•Deleted username -> Email

April 2009

•Race to 1 million

•4chan

•scripts and kiddies and captchas

April 2009

•Mikeyy Worm

• (What is it with guys whose names end in “y”)

•Basic, run-of-the-mill XSS

April 2009

•Mikeyy Worm

• (What is it with guys whose names end in “y”)

•Basic, run-of-the-mill XSS

•What is special is Twitter’s #FAIL

Saturday, April 11

Sunday, April 12

Monday, April 13

Friday, April 17

July 2009•Cloud insecurity ;)

Cloud Services•When you don’t control the service

•You don’t know how vulnerable you are

•But

•No difference for a targeted attacker

•Just different risks / attack vectors

Cloud vs ?

•VPN vs. global access

•Managed vs. unpatched/poorly managed

•Server mis-configuration

•Weak passwords

•Cross-Site [Scripting|Request Forgery]

• Information Disclosure

•Spam

•Phishing

Before I continue...•Props to @a3lx (Alex Payne) and

@netik (John Adams)

•Keeping the security ship floating at Twitter

•mod_memcache_block by netik

•Apache module that allows you to block access to your servers using a block list stored in memcache.

Not just Twitter•Users

•People love to click links

•People are socializing in a huge public forum

•URL Shorteners

•Obfuscation, malware and virii, oh my!

Phishing•Users think nothing of clicking a

link

•Entering their password

•Just yesterday - twitviewer.net

•Takes advantage of ego

•Same thing on MySpace

Malware || Misinformation

•Both spread via Twitter

Too easy...

But wait, there’s more

And MORE!

Users - #twitterpornname•While your “Porn Name” may be a

fun game to play amongst friends...

•1st Pet’s name + rand(‘street’, ‘teacher’)

Oh, Shorteners...

TinyURL

@rafallos

Third Parties

•TwitPic Integration from client apps

•Is your password only local to the client app?

•Nope. Not if you “twitpic” something.

Not just Twitter•1 day of random sampling

•>1,000 apps posting to Twitter

•Web, Mobile Web

•Desktop

•>10,000 OAuth-registered apps

•So when you say “secure Twitter” ...

OAuth Will Save us All

Not really...•OAuth vulnerability required Twitter to

shut down OAuth with no notice.

•Only read and read/write

•Read includes DMs

•Also, your “protected” friends’ accounts

•OAuth creds stored instead of passwords

•vi

Again, Not just Twitter

“What Other Users Can See via the Facebook Platform”“When a friend of yours allows an application to access their information,

that application may also access any information about you that your friend can already see.”

#FAIL•Applications will try to retain as much

information about you as possible.

•No personal firewall for SocNet’s yet.

•Continually Eroding Privacy

•http://tweepsearch.com/search?query="works+at+apple"

•Seattle coffee shops

In ur Cookies

The rest of Web 2.0•Another micro-blogging site

Info Disclosure

•Another micro-blogging service

•User emails displayed on confirmation page

Poor Design

•Email Service

•RSS feed of inbox

•Unauthenticated

•HTTP

Geo-Loc SQLi•iPhone app - shows nearby updates

•Integrated web site

•SQL Injection

•Reported twice, no response

•Geo-tracking ensues

Web 2.0 Frameworks•As of Django 1.0 (Sep 2008), HTML

is auto-escaped

•Does Rails? -------------------------- No

•Does Google App Engine? -------- No

•Does ASP.NET ---------------------- On built-in controls

•Also has built-in request validation

Web 2.0 Frameworks•As of Django 1.0 (Sep 2008), HTML

is auto-escaped

•Does Rails? -------------------------- No

•Does Google App Engine? -------- No

•Does ASP.NET ---------------------- On built-in controls

•Also has built-in request validation

RESTful APIs

•Asking for some CSRF hurt

•i.e. Updates not always restricted to POST

Why?

•Non-standard frameworks

•Lack of awareness

•Lack of standard disclosure channels

•Disclosure policies?

Disclosure...

•So this guy, @quine

•Blogged a blog...

Web Disclosure

•No clear lines

•Ambulance chasers

•Potential for legal action

•Little vendor responsibility

•More trouble than it’s worth

Solutions?

•OSVDB Extension?

•Separate entity?

•You tell me?