b-sides las vegas - social network security
DESCRIPTION
A presentation I gave at the first b-sides Las Vegas security conference showing the security challenges we face going forward in the era of open-by-default social networking.TRANSCRIPT
Twitter API Hacks Unicorns
Damon P. CortesiAlchemy Security, LLC
Social Networking, Raping the Twitter API, the Age Before Firewalls/Unicorns and the Pitfalls of Rapid Application Development -- Crowd-sourced version. ;)
@dacort
A Twistory of Security #fail
April 2008
•CSRF (via @McGrewSecurity)
July 2008
•Staging Server + SQL Debug
Fix
•Require Basic Auth
•Limit by IP
•Don’t expose to web
#FAIL
•Basic Auth not enabled on HTTPS
November 2008•TwitterRank “scam”
Password Security5 5
Minutes Minutes LaterLater
December 2008•XSS in newly deployed user search
December 2008•Information Disclosure
Vulnerability
•Any site could determine your Twitter username via nifty RESTful API and JSON callbacks. #buzzwords
Retrieve Username
$.getJSON("http://twitter.com/statuses/user_timeline?count=1&callback=?", function(data) { alert("Username is: " + data[0].user.screen_name) });
{"text":"Pretty sure humans have kneecaps so we can slam them into tables. *ow*","truncated":false,"user":{"following":null,"time_zone":"Pacific Time (US & Canada)","description":"Prof. Computer Security Consultant with a passion for breaking things and generating statistics (see http:\/\/tweetstats.com
and http:\/\/ratemytalk.com).","screen_name":"dacort","utc_offset":-28800,"profile_sidebar_border_color":"87bc44","notifications":null,"created_at":"Thu Dec 21 07:14:05 +0000 2006","profile_text_color":"000000","url":"http:\/\/dcortesi.com","name":"Damon Cortesi","statuses_count":21385,"profile_background_image_url":"http:\/\/static.twitter.com\/images\/themes\/theme1\/bg.gif","followers_count":4441,"protected":false,"profile_link_color":"A100FF","profile_background_tile":false,"friends_count":1775,"profile_background_color":"000000","verified":false,"favourites_count":202,"profile_image_url":"http:\/\/s3.amazonaws.com\/twitter_production\/profile_images\/90802743\/Famous_Glasses_normal.jpg","location":"Seattle, WA","id":99723,"profile_sidebar_fill_color":"e0ff92"},"in_reply_to_status_id":null,"created_at":"Mon Jul 27 21:37:53 +0000 2009","in_reply_to_user_id":null,"favorited":false,"in_reply_to_screen_name":null,"id":2877957719,"source":"<a href=\"http:\/\/www.atebits.com\/\">Tweetie<\/a>"}
Courtesy of @harper
January 2009•Twitter admin interface
compromised
•Publicly accessible
•Logins tied to employee Twitter accounts
•Not to mention...
•“happiness”
March 2009
•Information disclosure
•Account restoration
•Deleted username -> Email
April 2009
•Race to 1 million
•4chan
•scripts and kiddies and captchas
April 2009
•Mikeyy Worm
• (What is it with guys whose names end in “y”)
•Basic, run-of-the-mill XSS
April 2009
•Mikeyy Worm
• (What is it with guys whose names end in “y”)
•Basic, run-of-the-mill XSS
•What is special is Twitter’s #FAIL
Saturday, April 11
Sunday, April 12
Monday, April 13
Friday, April 17
July 2009•Cloud insecurity ;)
Cloud Services•When you don’t control the service
•You don’t know how vulnerable you are
•But
•No difference for a targeted attacker
•Just different risks / attack vectors
Cloud vs ?
•VPN vs. global access
•Managed vs. unpatched/poorly managed
•Server mis-configuration
•Weak passwords
•Cross-Site [Scripting|Request Forgery]
• Information Disclosure
•Spam
•Phishing
Before I continue...•Props to @a3lx (Alex Payne) and
@netik (John Adams)
•Keeping the security ship floating at Twitter
•mod_memcache_block by netik
•Apache module that allows you to block access to your servers using a block list stored in memcache.
Not just Twitter•Users
•People love to click links
•People are socializing in a huge public forum
•URL Shorteners
•Obfuscation, malware and virii, oh my!
Phishing•Users think nothing of clicking a
link
•Entering their password
•Just yesterday - twitviewer.net
•Takes advantage of ego
•Same thing on MySpace
Malware || Misinformation
•Both spread via Twitter
Too easy...
But wait, there’s more
And MORE!
Users - #twitterpornname•While your “Porn Name” may be a
fun game to play amongst friends...
•1st Pet’s name + rand(‘street’, ‘teacher’)
Oh, Shorteners...
TinyURL
@rafallos
Third Parties
•TwitPic Integration from client apps
•Is your password only local to the client app?
•Nope. Not if you “twitpic” something.
Not just Twitter•1 day of random sampling
•>1,000 apps posting to Twitter
•Web, Mobile Web
•Desktop
•>10,000 OAuth-registered apps
•So when you say “secure Twitter” ...
OAuth Will Save us All
Not really...•OAuth vulnerability required Twitter to
shut down OAuth with no notice.
•Only read and read/write
•Read includes DMs
•Also, your “protected” friends’ accounts
•OAuth creds stored instead of passwords
•vi
Again, Not just Twitter
“What Other Users Can See via the Facebook Platform”“When a friend of yours allows an application to access their information,
that application may also access any information about you that your friend can already see.”
#FAIL•Applications will try to retain as much
information about you as possible.
•No personal firewall for SocNet’s yet.
•Continually Eroding Privacy
•http://tweepsearch.com/search?query="works+at+apple"
•Seattle coffee shops
In ur Cookies
The rest of Web 2.0•Another micro-blogging site
Info Disclosure
•Another micro-blogging service
•User emails displayed on confirmation page
Poor Design
•Email Service
•RSS feed of inbox
•Unauthenticated
•HTTP
Geo-Loc SQLi•iPhone app - shows nearby updates
•Integrated web site
•SQL Injection
•Reported twice, no response
•Geo-tracking ensues
Web 2.0 Frameworks•As of Django 1.0 (Sep 2008), HTML
is auto-escaped
•Does Rails? -------------------------- No
•Does Google App Engine? -------- No
•Does ASP.NET ---------------------- On built-in controls
•Also has built-in request validation
Web 2.0 Frameworks•As of Django 1.0 (Sep 2008), HTML
is auto-escaped
•Does Rails? -------------------------- No
•Does Google App Engine? -------- No
•Does ASP.NET ---------------------- On built-in controls
•Also has built-in request validation
RESTful APIs
•Asking for some CSRF hurt
•i.e. Updates not always restricted to POST
Why?
•Non-standard frameworks
•Lack of awareness
•Lack of standard disclosure channels
•Disclosure policies?
Disclosure...
•So this guy, @quine
•Blogged a blog...
Web Disclosure
•No clear lines
•Ambulance chasers
•Potential for legal action
•Little vendor responsibility
•More trouble than it’s worth
Solutions?
•OSVDB Extension?
•Separate entity?
•You tell me?