This is just the beginning of Twitter’s security problems though.
Before we start digging into the really scary stuff, let’s look at the issue at hand: how did this worm happen?
You can read a detailed description here (scroll down to how the hack works)
1. Untested HTML sanitizing code
2. Basic Authentication up to August 2010
Let’s backtrack a bit. Not a decade. Not even a year. In fact, about one month. Twitter still allowed Basic access authentication, which involves sending the user’s username and password in clear over the Internet to the server. This was not 1991 – it was last month!
3. Flawed OAuth implementation
To add insult to injury, Twitter’s implementation of the OAuth protocol is flawed by design, and relies on the application’s private key being sent to Twitter when the application authenticates itself to Twitter. This is the equivalent of not having a front door key for your fortified stone building, but rather a password, that, when shouted loud enough in front of the gate, will cause it to open. (Open Says-a-who?)
This goes directly against the guidelines laid out in the OAuth RFC – it means an application will always need it’s private key to be embedded in the application in some way or another, putting it in the hands of anyone who’s downloaded the application. That pretty much does not make it a private key anymore, does it? A very simple way of retrieving such an application key is demonstrated here.
Anyone in possession of an application’s private key can authenticate themselves to Twitter as the application.
4. Lack of permissions granularity
Then, another big one: Twitter’s application permission set contains a grand total of two settings: Read-only and Read & write. At this point it’s justified to say WTF.
As a result of this medieval permissions granularity, every single application with access to your account can read your direct messages, which are supposed to be private. Now, a while ago I criticized Facebook’s extended permissions in one post, and praised them in another, for what they did wrong, and what they did right, respectively. Well, Twitter don’t have them. Twitter’s entire permissions scheme is built on an allow nothing/allow all granularity.
As far as security is concerned, Twitter lives in the dark ages, and they will soon have to be yanked out of their ignorance, or their whole world, as well as the social world of us, their users, is going to crumble from beneath them. This is a cry of desperation.
Posted by Adriaan Pelzer