Brian Shaler

Jumping around in the Phoenix Tech Community

Flower
« The Six Stages of Debugging
I wouldn’t read my blog. »

Twitter Security Issue

UPDATE: The primary issue described in this post has been fixed. You can only change your email address after inserting your password.

I recently discovered a serious security issue on Twitter. Let me tell you the story.

Taking over an account

Someone started a Twitter account with the sole purpose of mocking me. It took me quite a while to find out who it was. Since practically everyone enjoys a good joke at my expense, the suspect list was quite long. But finally, I received information from a good Samaritan who did some investigating that was out of my reach.

I confronted the individual, a friend of mine, and asked him to turn over the account that was tarnishing my reputation (many people thought I was behind the account, leading them to believe I was pretentious and egotistical). After a few hours of instant messaging and agreeing to some terms (such as anonymity), he gave me access to the account. Upon logging in, I immediately changed the password, logged out, and logged in with the new password to make sure it took.

A day or two later, the user popped up on my radar again by mentioning my name in a tweet.

How did he get access to the account?

My first thought: I’m an Idiot! I forgot to change the email address in the account settings! If my friend went through the password reset steps, he could easily regain control of the account. I tried logging in with the password I had recently set, and it worked. I changed the email address and changed the password again. Then I contacted my friend about it, admitting my idiocy regarding the email settings. He said he hadn’t thought to go through the “Forgot password?” steps.

Then how did he get back in?!

He told me he had left his browser window open. The morning after yielding control of the account, he went back to the browser and it still worked!

This is where it gets SERIOUS

Let’s imagine, hypothetically, that you give your password to a 3rd party application. If the application’s owner uses that password once and saves the session cookie, they can store the session cookie and re-create it at any time in the future even if you change your password (There are even browser plug-ins that allow you to read and write cookies).

This means they can get back into your account whenever they want, indefinitely. They can post tweets, read your DMs, follow other users on your behalf, etc.

What’s worse, they can lock YOU out of YOUR ACCOUNT!

If you type in your password every time you go to Twitter.com (even if your browser “remembers” it), an attacker can take complete control over your account. The “remember me” checkbox will give you the same permanent access to your account that your attacker enjoys. So how can they take over your account? You can change your email address without typing your password! If an attacker is in your account, changing your password won’t stop them from kicking you out. They can change the email to their own address, log out, and request a password reset from Twitter. They send an email to you and you can click the link to reset it.

How to stay safe

As far as I know, there is nothing you can do to prevent this from happening to you, aside from never giving anyone or any application your password.

Twitter needs to use a smarter session cookie that is in some way linked to the user’s password or have another way of killing other sessions if you log out. Twitter should also consider using per-user API keys for users to give to 3rd party applications, instead of authenticating with your password.

More from Brian Shaler

Brian Shaler Recommends

brianshaler has content marketing with Arkayne Socialize.

Tags: ,

24 Responses to “Twitter Security Issue”

  1. November 23rd, 2008 at 8:37 pm

    Joel says:

    What needs to happen is for all sessions to be terminated on change of password and reprompt a login.

    I don’t know what authentication methodology they’re using so I’m not sure what their implementation is at the back end.

  2. November 23rd, 2008 at 8:43 pm

    John_from_CT says:

    Good bit of research, Brian. Do let us know if the people at Twitter reply to you regarding security upgrades.

  3. November 23rd, 2008 at 9:17 pm

    Joel says:

    I should add that if these methods are accurate than Twitter’s team really needs to take a step back and relook at their methodology for security.

    http://www.owasp.org/index.php/Category:OWASP_Ruby_on_Rails_Security_Guide_V2 <– a good place to start…

  4. November 24th, 2008 at 1:14 am

    Hatem Nassrat says:

    The problem is that many websites allow the feature of having multiple logins by a single user. Other websites have the “remember me” box, which I guess would keep that particular session cookie for a longer period of time. All these application specifics are scary, especially when your here about cookie stealing attacks by simply linking to a remote site with an http *rather than https” url, in this example twitter, and listening in and grabbing the cookie.

    Although we invent genius encryption algorithms like public key cryptography, we seem to overlay them with the stupidest protocols. I am sad to say the internet is now a spaghetti that’ll keep tangelling so long as we stick to our PHPs.

  5. November 24th, 2008 at 3:43 am

    Tom says:

    Twitter have said they are going to implement OAuth (which would solve this problem) on their API page. However, they have shown no progress to my knowledge of doing this. It would be great for the community to push them towards it.

  6. November 24th, 2008 at 4:12 am

    Jason says:

    Oh, come on. If you give a 3rd party your password, you should expect that they can screw you from that point on, mainly because you *gave them your password* . Also, your password/session cookie is always going over the wire in cleartext. Twitter is inherently insecure at this point. Deal with it.

  7. November 24th, 2008 at 12:14 pm

    Austin says:

    Congrats on finding out who the anti is/was.

  8. November 24th, 2008 at 12:50 pm

    Web2.0 Sucks says:

    Here’s a tip, don’t use twitter.

  9. November 24th, 2008 at 2:02 pm

    Gilzow says:

    Not really sure why you are so surprised that there is a security issue when you give out your user name and password to a 3rd party.

    Though I agree that Twitter should adopt a better practice when it comes to handling account settings. I can understand why they don’t automatically kill all your sessions if you change your password: lots of users are logged into twitter from numerous applications and devices. But it would be a trivial matter to require the password for any account settings. They could also add a “log out all active sessions” feature and this issue would be solved.

    @Jason, while the session cookie is being sent in the clear, the password is not saved in the cookie. Also, twitter changes the session id each time you interact with the site, so they are at least trying to combat CSRF attacks.

    @Hatem There is a correction that needs to be made to what you posted: “I am sad to say the internet is now a spaghetti that’ll keep tangling so long as there are people who build applications that do not know how to code securely.” This isnt a language-specific problem; this is an educational problem amongst coders.

  10. November 25th, 2008 at 3:40 pm

    Zack Fasel says:

    Take a second and check out http://hax.by/zf/3/ – touches on this issue quite a bit.

  11. November 30th, 2008 at 8:48 am

    AKA Riptide Furse » Blog Archive » Weekly (weekly) says:

    [...] The Brian Shaler Blog / / Twitter Security Issue [...]

  12. December 10th, 2008 at 11:38 am

    Stop Sharing Your Twitter Credentials « twitpay.me: simple payments via Twitter says:

    [...] Twitter has an open security hole documented here: http://brianshaler.com/blog/2008/11/23/twitter-security-issue/. Basically, if some hacker manages to get your username and password and log in to Twitter before [...]

  13. December 11th, 2008 at 2:43 pm

    Wizardies! » Blog Archive » Twitter Security Hole! A Nightmare? says:

    [...] Brian Shelar Blog raised an important issue regarding Twitter’s serious security hole. Basically, it tells how your [...]

  14. December 19th, 2008 at 11:27 pm

    Gelie says:

    I was wondering what the ‘fake’ account was all about. This makes sense…

  15. December 27th, 2008 at 4:37 am

    Wendy Kincade says:

    Excellent article. Kind of scary, but anything online (or in the world) has risks. Thanks for the heads-up though.

  16. January 4th, 2009 at 8:40 pm

    AcmePhoto says:

    I guess I’ll quit changing my passwords every 2 weeks!

    With “friends” like that who needs enemies? Why would someone do all that work than want to be anonymous? I don’t get it, was there was some sort of goverment coverup?

    @gelie, I heard the “fake” was totally different from the “anti”.

  17. January 8th, 2009 at 1:32 am

    Pishing en Twitter | SomosBloggers says:

    [...] Twitter hackeadas visita el blog de InfoSpyware. Además de todo esto, parece que también hay un problema con las cookies de sesión y su [...]

  18. February 17th, 2009 at 6:46 am

    Twitter Vulnerability History says:

    [...] http://brianshaler.com/blog/2008/11/23/twitter-security-issue/ [...]

  19. May 8th, 2009 at 7:01 am

      links for 2009-05-08 — contentious.com says:

    [...] The Brian Shaler Blog / / Twitter Security Issue More about how your Twitter a count can be hijacked (tags: twitter social+media identity nefarious problems) [...]

  20. May 30th, 2009 at 12:37 pm

    Software [In]Security: Twitter Security - Making Your Thoughts as Small and Incomplete as Possible | The IT Security Attaché says:

    [...] is, but it’s not me. The question is whether or not I should care? (Some people apparently do.) It’s really not that clever or interesting making fun of someone anonymously. [...]

  21. July 16th, 2009 at 7:05 am

    Tim Acheson says:

    This week Twitter’s own internal systems were hacked, along with the accounts of Twitter users including celebrities:

    http://www.timacheson.com/Blog/2009/jul/twitter_hacked_via_google_apps

    The point of entry wasn’t a gap in Twitter’s security. The hacker(s) gained access through a Google Apps account. The worry with a Google account is, it’s web-based and therefore only as secure as the rest of the Internet. If yuor Google account is compromised and you use Google Docs in a serious commercial setting, your Twitter account will be the least of your worries.

  22. August 14th, 2009 at 6:45 am

    hacker says:

    twitter uses basic authentication without promting.
    And its not even through SSL
    someone with a networkmonitor can read all usernames and passwords in plain text.
    this is what you will see if you capture the wire
    Host: twitter.com
    Authorization: BASIC
    Credentials : username : password

    The thing is you only are logged out if you close the browser window.

    greez

  23. December 6th, 2009 at 10:13 am

    Kristine Shuee says:

    - i just love to Twitter everyday with my friends. Twitter is much better than blogging in my opinion and it is very addictive too.
    “!“`

  24. December 24th, 2009 at 11:27 pm

    Caramoan says:

    Twitter is some ways is much better than blogging. I love to Twitter my everyday activities on my friends and relatives.
    ***

Leave a Reply