UPDATE: The primary issue described in this post has been fixed. You can only change your email address after inserting your password.
I recently discovered a serious security issue on Twitter. Let me tell you the story.
Taking over an account
Someone started a Twitter account with the sole purpose of mocking me. It took me quite a while to find out who it was. Since practically everyone enjoys a good joke at my expense, the suspect list was quite long. But finally, I received information from a good Samaritan who did some investigating that was out of my reach.
I confronted the individual, a friend of mine, and asked him to turn over the account that was tarnishing my reputation (many people thought I was behind the account, leading them to believe I was pretentious and egotistical). After a few hours of instant messaging and agreeing to some terms (such as anonymity), he gave me access to the account. Upon logging in, I immediately changed the password, logged out, and logged in with the new password to make sure it took.
A day or two later, the user popped up on my radar again by mentioning my name in a tweet.
How did he get access to the account?
My first thought: I’m an Idiot! I forgot to change the email address in the account settings! If my friend went through the password reset steps, he could easily regain control of the account. I tried logging in with the password I had recently set, and it worked. I changed the email address and changed the password again. Then I contacted my friend about it, admitting my idiocy regarding the email settings. He said he hadn’t thought to go through the “Forgot password?” steps.
Then how did he get back in?!
He told me he had left his browser window open. The morning after yielding control of the account, he went back to the browser and it still worked!
This is where it gets SERIOUS
Let’s imagine, hypothetically, that you give your password to a 3rd party application. If the application’s owner uses that password once and saves the session cookie, they can store the session cookie and re-create it at any time in the future even if you change your password (There are even browser plug-ins that allow you to read and write cookies).
This means they can get back into your account whenever they want, indefinitely. They can post tweets, read your DMs, follow other users on your behalf, etc.
What’s worse, they can lock YOU out of YOUR ACCOUNT!
If you type in your password every time you go to Twitter.com (even if your browser “remembers” it), an attacker can take complete control over your account. The “remember me” checkbox will give you the same permanent access to your account that your attacker enjoys. So how can they take over your account? You can change your email address without typing your password! If an attacker is in your account, changing your password won’t stop them from kicking you out. They can change the email to their own address, log out, and request a password reset from Twitter. They send an email to you and you can click the link to reset it.
How to stay safe
As far as I know, there is nothing you can do to prevent this from happening to you, aside from never giving anyone or any application your password.
Twitter needs to use a smarter session cookie that is in some way linked to the user’s password or have another way of killing other sessions if you log out. Twitter should also consider using per-user API keys for users to give to 3rd party applications, instead of authenticating with your password.
What needs to happen is for all sessions to be terminated on change of password and reprompt a login.
I don’t know what authentication methodology they’re using so I’m not sure what their implementation is at the back end.
Good bit of research, Brian. Do let us know if the people at Twitter reply to you regarding security upgrades.
I should add that if these methods are accurate than Twitter’s team really needs to take a step back and relook at their methodology for security.
http://www.owasp.org/index.php/Category:OWASP_Ruby_on_Rails_Security_Guide_V2 <– a good place to start…
The problem is that many websites allow the feature of having multiple logins by a single user. Other websites have the “remember me” box, which I guess would keep that particular session cookie for a longer period of time. All these application specifics are scary, especially when your here about cookie stealing attacks by simply linking to a remote site with an http *rather than https” url, in this example twitter, and listening in and grabbing the cookie.
Although we invent genius encryption algorithms like public key cryptography, we seem to overlay them with the stupidest protocols. I am sad to say the internet is now a spaghetti that’ll keep tangelling so long as we stick to our PHPs.
Twitter have said they are going to implement OAuth (which would solve this problem) on their API page. However, they have shown no progress to my knowledge of doing this. It would be great for the community to push them towards it.
Oh, come on. If you give a 3rd party your password, you should expect that they can screw you from that point on, mainly because you *gave them your password* . Also, your password/session cookie is always going over the wire in cleartext. Twitter is inherently insecure at this point. Deal with it.
Congrats on finding out who the anti is/was.
Here’s a tip, don’t use twitter.
Not really sure why you are so surprised that there is a security issue when you give out your user name and password to a 3rd party.
Though I agree that Twitter should adopt a better practice when it comes to handling account settings. I can understand why they don’t automatically kill all your sessions if you change your password: lots of users are logged into twitter from numerous applications and devices. But it would be a trivial matter to require the password for any account settings. They could also add a “log out all active sessions” feature and this issue would be solved.
@Jason, while the session cookie is being sent in the clear, the password is not saved in the cookie. Also, twitter changes the session id each time you interact with the site, so they are at least trying to combat CSRF attacks.
@Hatem There is a correction that needs to be made to what you posted: “I am sad to say the internet is now a spaghetti that’ll keep tangling so long as there are people who build applications that do not know how to code securely.” This isnt a language-specific problem; this is an educational problem amongst coders.
Take a second and check out http://hax.by/zf/3/ – touches on this issue quite a bit.
I was wondering what the ‘fake’ account was all about. This makes sense…
Excellent article. Kind of scary, but anything online (or in the world) has risks. Thanks for the heads-up though.
I guess I’ll quit changing my passwords every 2 weeks!
With “friends” like that who needs enemies? Why would someone do all that work than want to be anonymous? I don’t get it, was there was some sort of goverment coverup?
@gelie, I heard the “fake” was totally different from the “anti”.
This week Twitter’s own internal systems were hacked, along with the accounts of Twitter users including celebrities:
http://www.timacheson.com/Blog/2009/jul/twitter_hacked_via_google_apps
The point of entry wasn’t a gap in Twitter’s security. The hacker(s) gained access through a Google Apps account. The worry with a Google account is, it’s web-based and therefore only as secure as the rest of the Internet. If yuor Google account is compromised and you use Google Docs in a serious commercial setting, your Twitter account will be the least of your worries.
twitter uses basic authentication without promting.
And its not even through SSL
someone with a networkmonitor can read all usernames and passwords in plain text.
this is what you will see if you capture the wire
Host: twitter.com
Authorization: BASIC
Credentials : username : password
The thing is you only are logged out if you close the browser window.
greez