Our Blog

Twitter: big on social, small on security


Posted by
23 September 2010
10:09
3 comments

This week, in the wake of the Twifficiency debacle, Twitter fell prey to an embarrassingly simple Javascript injection attack. The attack manifested itself in the form of the first widespread Twitter worm. This obviously had everyone up in arms about Twitter’s lack of real-world security – once again.

This is just the beginning of Twitter’s security problems though.

Twitter Security

Before we start digging into the really scary stuff, let’s look at the issue at hand: how did this worm happen?

You can read a detailed description here (scroll down to how the hack works)

1. Untested HTML sanitizing code

In short, the code meant to sanitize links posted to Twitter did such an terrible job of it, that it allowed Javascript to be inserted into links. This is like building with thick stone walls, but forgetting to put a roof on, because you didn’t think stuff will enter that way.

2. Basic Authentication up to August 2010

Let’s backtrack a bit. Not a decade. Not even a year. In fact, about one month. Twitter still allowed Basic access authentication, which involves sending the user’s username and password in clear over the Internet to the server. This was not 1991 – it was last month!

3. Flawed OAuth implementation

To add insult to injury, Twitter’s implementation of the OAuth protocol is flawed by design, and relies on the application’s private key being sent to Twitter when the application authenticates itself to Twitter. This is the equivalent of not having a front door key for your fortified stone building, but rather a password, that, when shouted loud enough in front of the gate, will cause it to open. (Open Says-a-who?)

This goes directly against the guidelines laid out in the OAuth RFC – it means an application will always need it’s private key to be embedded in the application in some way or another, putting it in the hands of anyone who’s downloaded the application. That pretty much does not make it a private key anymore, does it? A very simple way of retrieving such an application key is demonstrated here.

Anyone in possession of an application’s private key can authenticate themselves to Twitter as the application.

4. Lack of permissions granularity

Then, another big one: Twitter’s application permission set contains a grand total of two settings: Read-only and Read & write. At this point it’s justified to say WTF.

As a result of this medieval permissions granularity, every single application with access to your account can read your direct messages, which are supposed to be private. Now, a while ago I criticized Facebook’s extended permissions in one post, and praised them in another, for what they did wrong, and what they did right, respectively. Well, Twitter don’t have them. Twitter’s entire permissions scheme is built on an allow nothing/allow all granularity.

As far as security is concerned, Twitter lives in the dark ages, and they will soon have to be yanked out of their ignorance, or their whole world, as well as the social world of us, their users, is going to crumble from beneath them. This is a cry of desperation.

Posted by

2 Comments

  • September 24, 2010 at 2:48 pm | Permalink

    Interesting post. While I think that allot of Twitter use is in the public domain anyway, and privacy is not much an issue, the hijacking of accounts for spam or other purposes are.

    The fact that an unscrupulous person could obtain the details of thousands of users by obtaining an application key and then presenting themselves as the application to Twitter is indeed a massive security hole.

  • Posted by Murray Hunter
    September 24, 2010 at 3:00 pm | Permalink

    Very interesting. It’s startling how commonplace minor spam attacks seem to be on Twitter – practically part of the furniture.

1 Trackback

  • By The RAAKonteur #10 – – RAAK on September 24, 2010 at 4:44 pm

    [...] This week Twitter was hit by its first widespread worm. Our tech insight looks at Twitter's security situation, and finds a few seriously alarming flaws in the social giant's approach to security. Read More » [...]

Leave a Comment

Your email is never shared. Required fields are marked *