Skip to main content

Twitter API vulnerable to replay attacks

Reading about Google's security today reminded me of an vulnerability I discovered in the @ a while ago. October 4th to be exact. The response was a typical but as of this writing the replay attack vulnerability has not been fixed.

Replay attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution.
Notification

My email to security@twitter.com on October 4th and their response.
A single OAuth request can currently be made repeated until the timestamp expires. For example the below url worked in a browser repeatedly.

http://api.twitter.com/1/account/verify_credentials.json?oauth_consumer_key=DC0sePOBbQ8bYdC8r4Smg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1286249576&oauth_nonce=2568844471&oauth_version=1.0&oauth_token=9436992-nlnplVVuWbpQ6pG2992RCK01cOaTpiUIZXnwZuD3W0&oauth_signature=iNjBZzaH46J0K/4dRG74GG9skoM%3D

Abraham

----------

Hi Abraham,

Thanks for the note. We'll check it out.

-Bob
Example

Here is a snap shot of a POST request to create a list named "replayattack" at 00:16:18 GMT. Shortly after I made a request with the same @ parameters at 00:17:57 GMT that succeeded in creating a second list with the slug of replayattack-20. Both request use the same oauth_timestamp, oauth_nonce and oauth_signature values.

Severity

How serious is this vulnerability? Well luckily the vector seems to be pretty small but I'm not a security expert so there could be hidden vectors I have not considered.
  • The initial request must to be intercepted by an attacker so the use of SSL and certificate verification should protect against the attack.
  • Replay requests are limited to five minutes after the initial request before the timestamp gets rejected.
  • Requests can not be modified or the request will be rejected for having an invalid signature.
  • Duplicate statuses and messages can not be posted because Twitter rejects duplicates of recent statuses.
  • Requests to private resources like messages or protected timelines have not only the response of the initial request but any statuses or messages created in the following five minutes as well.
Prevention

What can Twitter do to prevent this? Twitter can store nonces for five minutes and if a single nonce hits the API more then once reject the subsequent requests. The OAuth specification has this to say about nonces:
A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.
It is possible that Twitter decided to write off this vulnerability instead of trying to scale nonce checking for over 6 billion API requests every day.

Popular posts from this blog

Sync is currently experiencing problems

Update: I now recommend you install Google Chrome and disable the built in Browser as it supports encrypting all synced data.

After picking up a gorgeous Galaxy Nexus yesterday I was running into an issue where my browser data wasn't syncing to the phone. After a little Googling I found this is commonly caused by having all of my synced Chrome data encrypted instead of the default of only encrypting the passwords. These are the steps I went through to get my dat syncing again without losing any of it. The exact error I was getting was "Sync is currently experiencing problems. It will be back shortly."




In Google Chrome open the personal stuff settings page by clicking this link or by opening the wrench menu, and click on "signed in with example@gmail.com".  Hit "disconnect your Google Account" to temporarily disable syncing from your browser.



Visit the Google Dashboard and "Stop sync and delete data from Google". I waited until the stored dat…

Little known @Twitter and @TwitterAPI tips and tricks

Be sure to comeback as new tips and tricks get added. If you know of anything I missed be sure to let me know.

Static URL for profile images based on screen_name:

https://api.twitter.com/1/users/profile_image/abraham

* This performs a http redirect to the actual profile image URL. Currently https redirects to http. You can also add "?size={mini | bigger | normal}" to get specific sizes.

Redirect to profile based on user_id:

https://twitter.com/account/redirect_by_id?id=9436992

In_reply_to_status_id mentions:

https://api.twitter.com/1/statuses/update.json?status=reply+to+@abraham&in_reply_to_status_id=12410413197

* In the web interface new mentions are only replies if they start with @screen_name. By pushing @screen_name further along in the string your followers who do not follow @screen_name will still see the status.

Profile image sizes:

http://a3.twimg.com/profile_images/54160223/chart-black-small.png

* By default you get the original image size you can add _mini, _normal, and …

Can you activate a Moto G on Sprint?

Question: Can you activate a Moto G (3rd gen) on Sprint?
Answer: No.

TLDR: Don't use Sprint.


Having the unfortunateness of accidentally dropping and mostly obliterating a perfectly functional Nexus 5, my housemate was in need of a replacement ASAP. With solid specs and an amazing price tag (a mere $220) a Moto G (3rd gen) was high on my list of replacements. Considering the 2015 Nexus devices hadn't even been announced yet, it was pretty much the only option in that size range.

Moto was quick to ship and we skipped off to the Sprint store Moto G in hand to get it added to the existing service plan. I mean really, how hard could adding a phone be? Sadly it was all downhill from there...

Walking into Sprint there were a couple of people being helped or waiting to be helped but overly not very busy. Initially the service rep thought we wanted to transfer photos, data, etc from one device to another and said she could help us. After describing several times that we simply wanted the pl…