Skip to main content

Twitter API vulnerable to replay attacks

Reading about Google's security today reminded me of an vulnerability I discovered in the @ a while ago. October 4th to be exact. The response was a typical but as of this writing the replay attack vulnerability has not been fixed.

Replay attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution.
Notification

My email to security@twitter.com on October 4th and their response.
A single OAuth request can currently be made repeated until the timestamp expires. For example the below url worked in a browser repeatedly.

http://api.twitter.com/1/account/verify_credentials.json?oauth_consumer_key=DC0sePOBbQ8bYdC8r4Smg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1286249576&oauth_nonce=2568844471&oauth_version=1.0&oauth_token=9436992-nlnplVVuWbpQ6pG2992RCK01cOaTpiUIZXnwZuD3W0&oauth_signature=iNjBZzaH46J0K/4dRG74GG9skoM%3D

Abraham

----------

Hi Abraham,

Thanks for the note. We'll check it out.

-Bob
Example

Here is a snap shot of a POST request to create a list named "replayattack" at 00:16:18 GMT. Shortly after I made a request with the same @ parameters at 00:17:57 GMT that succeeded in creating a second list with the slug of replayattack-20. Both request use the same oauth_timestamp, oauth_nonce and oauth_signature values.

Severity

How serious is this vulnerability? Well luckily the vector seems to be pretty small but I'm not a security expert so there could be hidden vectors I have not considered.
  • The initial request must to be intercepted by an attacker so the use of SSL and certificate verification should protect against the attack.
  • Replay requests are limited to five minutes after the initial request before the timestamp gets rejected.
  • Requests can not be modified or the request will be rejected for having an invalid signature.
  • Duplicate statuses and messages can not be posted because Twitter rejects duplicates of recent statuses.
  • Requests to private resources like messages or protected timelines have not only the response of the initial request but any statuses or messages created in the following five minutes as well.
Prevention

What can Twitter do to prevent this? Twitter can store nonces for five minutes and if a single nonce hits the API more then once reject the subsequent requests. The OAuth specification has this to say about nonces:
A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
It is possible that Twitter decided to write off this vulnerability instead of trying to scale nonce checking for over 6 billion API requests every day.
Labels:

Comments

Post a Comment

Popular posts from this blog

Installing Storytlr the lifestreaming platform

" Storytlr  is an open source lifestreaming and micro blogging platform. You can use it for a single user or it can act as a host for many people all from the same installation." I've been looking for something like Storytlr for a few months now or at least trying to do it with Drupal . While I love Drupal and FeedAPI  I did not want to spend all that time building a lifestream website. So I've been playing around with Storytlr instead and found it very easy. Here is how I got it up and running on a Ubuntu EC2 server. You can also check out the official Storytlr install instructions . Assumptions: LAMP stack installed and running. Domain setup for a directory. MySQL database and user ready to go. Lets get started! Get the code : wget http://storytlr.googlecode.com/files/storytlr-0.9.2.tgz tar -xvzf storytlr-0.9.2.tgz You can find out the  latest stable release  on Storytlr's downloads page. Import the database : Within protected/install is database.sq
6 comments
Read more

Sync is currently experiencing problems

Update : I now recommend you install Google Chrome  and  disable  the built in Browser as it supports encrypting all synced data. After picking up a gorgeous  Galaxy Nexus yesterday I was running into an issue where my browser data wasn't syncing to the phone. After a little Googling I found this is commonly caused by having all of my synced Chrome data encrypted instead of the default of only encrypting the passwords. These are the steps I went through to get my dat syncing again without losing any of it. The exact error I was getting was "Sync is currently experiencing problems. It will be back shortly." In Google Chrome open the personal stuff settings page by clicking this link or by opening the wrench menu, and click on "signed in with example@gmail.com".  Hit "disconnect your Google Account" to temporarily disable syncing from your browser. Visit the Google Dashboard and "Stop sync and delete data from Google". I waite
31 comments
Read more

A month of Flutter: a look back

Originally published on bendyworks.com . This is it. 31 blog posts in 31 days. Writing  a month of flutter  has been a ton of work but also lots of fun and a good learning experience. I really appreciate how supportive and and positive everyone as been. Publishing experience For the series I've been posting on  bendyworks.com ,  DEV ,  my personal blog , and  Medium . After publishing to these sites, I would put the Bendyworks link on  Twitter ,  Reddit , and the  Flutter Study Group Slack . Posting to DEV was easy as they use Markdown just like the Bendworks blog. DEV also has built in support for a  series of posts  so it's easy to read the entire series. I did have to manually upload any embedded images. DEV also has a number of  liquid tags  for embedding things like GitHub issues that I didn't make as much use of as I should have. Blogger is rich text so it was easy to copy/paste the rendered posts. This would hotlink all the images though so I had to rem
Post a Comment
Read more