Archive for November, 2008
UPDATE: The primary issue described in this post has been fixed. You can only change your email address after inserting your password.
I recently discovered a serious security issue on Twitter. Let me tell you the story.
Taking over an account
Someone started a Twitter account with the sole purpose of mocking me. It took me quite a while to find out who it was. Since practically everyone enjoys a good joke at my expense, the suspect list was quite long. But finally, I received information from a good Samaritan who did some investigating that was out of my reach.
I confronted the individual, a friend of mine, and asked him to turn over the account that was tarnishing my reputation (many people thought I was behind the account, leading them to believe I was pretentious and egotistical). After a few hours of instant messaging and agreeing to some terms (such as anonymity), he gave me access to the account. Upon logging in, I immediately changed the password, logged out, and logged in with the new password to make sure it took.
A day or two later, the user popped up on my radar again by mentioning my name in a tweet.
How did he get access to the account?
My first thought: I’m an Idiot! I forgot to change the email address in the account settings! If my friend went through the password reset steps, he could easily regain control of the account. I tried logging in with the password I had recently set, and it worked. I changed the email address and changed the password again. Then I contacted my friend about it, admitting my idiocy regarding the email settings. He said he hadn’t thought to go through the “Forgot password?” steps.
Then how did he get back in?!
He told me he had left his browser window open. The morning after yielding control of the account, he went back to the browser and it still worked!
This is where it gets SERIOUS
Let’s imagine, hypothetically, that you give your password to a 3rd party application. If the application’s owner uses that password once and saves the session cookie, they can store the session cookie and re-create it at any time in the future even if you change your password (There are even browser plug-ins that allow you to read and write cookies).
This means they can get back into your account whenever they want, indefinitely. They can post tweets, read your DMs, follow other users on your behalf, etc.
What’s worse, they can lock YOU out of YOUR ACCOUNT!
If you type in your password every time you go to Twitter.com (even if your browser “remembers” it), an attacker can take complete control over your account. The “remember me” checkbox will give you the same permanent access to your account that your attacker enjoys. So how can they take over your account? You can change your email address without typing your password! If an attacker is in your account, changing your password won’t stop them from kicking you out. They can change the email to their own address, log out, and request a password reset from Twitter. They send an email to you and you can click the link to reset it.
How to stay safe
As far as I know, there is nothing you can do to prevent this from happening to you, aside from never giving anyone or any application your password.
Twitter needs to use a smarter session cookie that is in some way linked to the user’s password or have another way of killing other sessions if you log out. Twitter should also consider using per-user API keys for users to give to 3rd party applications, instead of authenticating with your password.
This is from a paper posted on my cubicle neighbor’s wall:
The Six Stages of Debugging
- That can’t happen.
- That doesn’t happen on my machine.
- That shouldn’t happen.
- Why is that happening?
- Oh, I see.
- How did that ever work?
The 3rd Annual AZ Entrepreneurship Conference is less than two weeks away! Are you going?
This year’s event will include the usual broad range of entrepreneurial topics, but will have a touch of social media. The speaker line-up is among the best Phoenix, AZ has seen in one place, especially in the tech entrepreneurship realm.
It’s going to be absolutely amazing.
In this economy, you might want to learn what is happening in our local banking market. It’s something you need to know if you are in business.
And there will also be an announcement from Microsoft that will benefit anyone with a software startup (under 3 years old) or a new project.
Businesses and entrepreneurs looking for funding, talent, real estate plays for the future, green initiatives or innovative ideas will find them all at the Third Annual Arizona Entrepreneurship conference November 19 at the Buttes Resort in Tempe, Arizona The day-long event will connect participants with some of the most interesting and active entrepreneurs and investors across the U.S. Last year’s event was standing room only, with this year’s event expected to draw even larger audiences.
Keynote speakers include a collection of heavyweights sharing their in-the-trenches experiences in building, funding and selling their companies.
- AllanKaplan, Co-Founder of Limelight Networks and Director of Clearview Capital Partners
- Matt Mullenweg, Founding Developer of WordPress
- Gary Vaynerchuk, Founder of WinleLibrary.com
- Bill Reichert, Managing Director, Garage Technology Ventures
- Howard Lindzon, Partner in Knight’s Bridge Capital Partners and Founder of Wallstrip
Full conference will include:
– The State of Startup Financing
– Creating a Product that Can Sell
– Local Successes
– Lessons Learned
– State of the Blogosphere
– Sustainability Initiatives
– State of Funding in Arizona
– Social Media Best Practices
Location: November 19, 2008
7:30 am â€“ 7:00 pm
at The Buttes Resort (2000 Westcourt Way, Tempe, AZ)
Registration ($150) includes lunch and a continental breakfast: http://www.azentrepreneurship.com
You are currently browsing the Brian Shaler blog archives for November, 2008.