< The Six Stages of Debugging
I wouldn’t read my blog. >

Twitter Security Issue

I recently discovered a serious security issue on Twitter. Let me tell you the story.

Taking over an account

Someone started a Twitter account with the sole purpose of mocking me. It took me quite a while to find out who it was. Since practically everyone enjoys a good joke at my expense, the suspect list was quite long. But finally, I received information from a good Samaritan who did some investigating that was out of my reach.

I confronted the individual, a friend of mine, and asked him to turn over the account that was tarnishing my reputation (many people thought I was behind the account, leading them to believe I was pretentious and egotistical). After a few hours of instant messaging and agreeing to some terms (such as anonymity), he gave me access to the account. Upon logging in, I immediately changed the password, logged out, and logged in with the new password to make sure it took.

A day or two later, the user popped up on my radar again by mentioning my name in a tweet.

How did he get access to the account?

My first thought: I’m an Idiot! I forgot to change the email address in the account settings! If my friend went through the password reset steps, he could easily regain control of the account. I tried logging in with the password I had recently set, and it worked. I changed the email address and changed the password again. Then I contacted my friend about it, admitting my idiocy regarding the email settings. He said he hadn’t thought to go through the “Forgot password?” steps.

Then how did he get back in?!

He told me he had left his browser window open. The morning after yielding control of the account, he went back to the browser and it still worked!

This is where it gets SERIOUS

Let’s imagine, hypothetically, that you give your password to a 3rd party application. If the application’s owner uses that password once and saves the session cookie, they can store the session cookie and re-create it at any time in the future even if you change your password (There are even browser plug-ins that allow you to read and write cookies).

This means they can get back into your account whenever they want, indefinitely. They can post tweets, read your DMs, follow other users on your behalf, etc.

What’s worse, they can lock YOU out of YOUR ACCOUNT!

If you type in your password every time you go to Twitter.com (even if your browser “remembers” it), an attacker can take complete control over your account. The “remember me” checkbox will give you the same permanent access to your account that your attacker enjoys. So how can they take over your account? You can change your email address without typing your password! If an attacker is in your account, changing your password won’t stop them from kicking you out. They can change the email to their own address, log out, and request a password reset from Twitter. They send an email to you and you can click the link to reset it.

How to stay safe

As far as I know, there is nothing you can do to prevent this from happening to you, aside from never giving anyone or any application your password.

Twitter needs to use a smarter session cookie that is in some way linked to the user’s password or have another way of killing other sessions if you log out. Twitter should also consider using per-user API keys for users to give to 3rd party applications, instead of authenticating with your password.

Spread the word: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • StumbleUpon
  • del.icio.us
  • Digg
  • Reddit
  • SphereIt
  • Technorati
  • NewsVine

Tags: ,

This entry was posted on Sunday, November 23rd, 2008 at 8:06 pm and is filed under Articles. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

20 Responses to “Twitter Security Issue”

  1. Joel Says:
    November 23rd, 2008 at 8:37 pm

    What needs to happen is for all sessions to be terminated on change of password and reprompt a login.

    I don’t know what authentication methodology they’re using so I’m not sure what their implementation is at the back end.

  2. John_from_CT Says:
    November 23rd, 2008 at 8:43 pm

    Good bit of research, Brian. Do let us know if the people at Twitter reply to you regarding security upgrades.

  3. Joel Says:
    November 23rd, 2008 at 9:17 pm

    I should add that if these methods are accurate than Twitter’s team really needs to take a step back and relook at their methodology for security.

    http://www.owasp.org/index.php/Category:OWASP_Ruby_on_Rails_Security_Guide_V2 <– a good place to start…

  4. Hatem Nassrat Says:
    November 24th, 2008 at 1:14 am

    The problem is that many websites allow the feature of having multiple logins by a single user. Other websites have the “remember me” box, which I guess would keep that particular session cookie for a longer period of time. All these application specifics are scary, especially when your here about cookie stealing attacks by simply linking to a remote site with an http *rather than https” url, in this example twitter, and listening in and grabbing the cookie.

    Although we invent genius encryption algorithms like public key cryptography, we seem to overlay them with the stupidest protocols. I am sad to say the internet is now a spaghetti that’ll keep tangelling so long as we stick to our PHPs.

  5. Tom Says:
    November 24th, 2008 at 3:43 am

    Twitter have said they are going to implement OAuth (which would solve this problem) on their API page. However, they have shown no progress to my knowledge of doing this. It would be great for the community to push them towards it.

  6. Jason Says:
    November 24th, 2008 at 4:12 am

    Oh, come on. If you give a 3rd party your password, you should expect that they can screw you from that point on, mainly because you *gave them your password* . Also, your password/session cookie is always going over the wire in cleartext. Twitter is inherently insecure at this point. Deal with it.

  7. Austin Says:
    November 24th, 2008 at 12:14 pm

    Congrats on finding out who the anti is/was.

  8. Web2.0 Sucks Says:
    November 24th, 2008 at 12:50 pm

    Here’s a tip, don’t use twitter.

  9. Gilzow Says:
    November 24th, 2008 at 2:02 pm

    Not really sure why you are so surprised that there is a security issue when you give out your user name and password to a 3rd party.

    Though I agree that Twitter should adopt a better practice when it comes to handling account settings. I can understand why they don’t automatically kill all your sessions if you change your password: lots of users are logged into twitter from numerous applications and devices. But it would be a trivial matter to require the password for any account settings. They could also add a “log out all active sessions” feature and this issue would be solved.

    @Jason, while the session cookie is being sent in the clear, the password is not saved in the cookie. Also, twitter changes the session id each time you interact with the site, so they are at least trying to combat CSRF attacks.

    @Hatem There is a correction that needs to be made to what you posted: “I am sad to say the internet is now a spaghetti that’ll keep tangling so long as there are people who build applications that do not know how to code securely.” This isnt a language-specific problem; this is an educational problem amongst coders.

  10. Zack Fasel Says:
    November 25th, 2008 at 3:40 pm

    Take a second and check out http://hax.by/zf/3/ - touches on this issue quite a bit.

  11. AKA Riptide Furse » Blog Archive » Weekly (weekly) Says:
    November 30th, 2008 at 8:48 am

    [...] The Brian Shaler Blog / / Twitter Security Issue [...]

  12. Stop Sharing Your Twitter Credentials « twitpay.me: simple payments via Twitter Says:
    December 10th, 2008 at 11:38 am

    [...] Twitter has an open security hole documented here: http://brianshaler.com/blog/2008/11/23/twitter-security-issue/. Basically, if some hacker manages to get your username and password and log in to Twitter before [...]

  13. Wizardies! » Blog Archive » Twitter Security Hole! A Nightmare? Says:
    December 11th, 2008 at 2:43 pm

    [...] Brian Shelar Blog raised an important issue regarding Twitter’s serious security hole. Basically, it tells how your [...]

  14. Gelie Says:
    December 19th, 2008 at 11:27 pm

    I was wondering what the ‘fake’ account was all about. This makes sense…

  15. Wendy Kincade Says:
    December 27th, 2008 at 4:37 am

    Excellent article. Kind of scary, but anything online (or in the world) has risks. Thanks for the heads-up though.

  16. AcmePhoto Says:
    January 4th, 2009 at 8:40 pm

    I guess I’ll quit changing my passwords every 2 weeks!

    With “friends” like that who needs enemies? Why would someone do all that work than want to be anonymous? I don’t get it, was there was some sort of goverment coverup?

    @gelie, I heard the “fake” was totally different from the “anti”.

  17. Pishing en Twitter | SomosBloggers Says:
    January 8th, 2009 at 1:32 am

    [...] Twitter hackeadas visita el blog de InfoSpyware. Además de todo esto, parece que también hay un problema con las cookies de sesión y su [...]

  18. Twitter Vulnerability History Says:
    February 17th, 2009 at 6:46 am

    [...] http://brianshaler.com/blog/2008/11/23/twitter-security-issue/ [...]

  19.   links for 2009-05-08 — contentious.com Says:
    May 8th, 2009 at 7:01 am

    [...] The Brian Shaler Blog / / Twitter Security Issue More about how your Twitter a count can be hijacked (tags: twitter social+media identity nefarious problems) [...]

  20. Software [In]Security: Twitter Security - Making Your Thoughts as Small and Incomplete as Possible | The IT Security Attaché Says:
    May 30th, 2009 at 12:37 pm

    [...] is, but it’s not me. The question is whether or not I should care? (Some people apparently do.) It’s really not that clever or interesting making fun of someone anonymously. [...]

Leave a Reply