Over the past number of days a few issues have arisen around Twitter’s security platform. Most of the security “problems” discovered were either minor or required a high level of social engineering. One thing that has been realized and that is becoming common knowledge, is that once you are logged in to twitter, as soon as you visit another web site, that other site can make an Ajax request and retrieve your user profile.
Personally, I believe that this will be one of the features of web3.0*. The ability to have a single login, not having to log in anywhere and your profile will be recognized, etc. (OAuth, OpenID, etc). We could almost say browser-identifiable-security where one browser window (with as many tabs as you want) could be associated with a single account and all websites you visit would know about you and your information. The idea itself is very neat, but brings with it issues around user privacy.
Whilst this is a really cool concept from a developers point of view, I can easily see why anyone would be scared of the ability to retrieve your Twitter profile from within any webpages. I have found a few other services and web apps with public APIs that are also affected by that sort of bug – if they consent to being named, I’ll do so here.
The type of vulnerability we’re talking about here is commonly known as a CSRF vulnerability . Twitter has some protection against this attack on the forms that are used to write to the profile settings, direct messages, etc. It’s rather trivial to protect from CSRF — some good methods out there include adding encrypted tokens as well as verifying cookies — but the fact that http://twitter.com/statuses/user_timeline.xml is accessible by anyone logged in to Twitter, it means that it will also be available to the websites they visit.
For instance, using jQuery, a malicious website could run something as such as:
1 2 3 4 5 6 | $(document).ready(function() { $.getJSON("http://twitter.com/statuses/user_timeline.json, null, function(data) { // Do something interesting with the user data you have just collected // Maybe ajax request to your own server to insert the data? }); }); |
Using this you could easily track anyone who comes to your website and also retrieve a list of their friends if you feel a bit more … creative.
Basically the process is as follows:
Twitter Attack Scheme Diagram
1. The user logs in Twitter
2. Twitter creates a cookie and logs the user in
3. The user (while still logged in to Twitter) visits a malicious website
4. The malicious website uses the weak-cookie and retrieves information about the user
5. The malicious website outputs the data as usual and says nothing to the user.
One of the main implications of this openness and lack of user communication is user privacy. Many people could potentially be exposed with their names/profiles available in the wild. This will affect their privacy in a way that websites they visit could become known to everyone (And do we know how bad this could be in terms of reputation… :P)
I can think of two possible solutions to this problem. First, ensure a stronger authentication system for retrieving any API methods and even reading user information — not allowing the main website cookie to be used with the API would be a start. It’s a bit radical, but it may be the only option. A second option might be that the user gets choice whether to make their profile cross session available or not.
I’m not sure what they’ll choose but today after a few rants and playing around, I realized that this issue will probably become mainstream with other apps in the months and years to come, but only if the user is informed and their privacy respected.
* Some ideas from this post will be in my talk on Web 3.0 at ossbarcamp
[Thanks to Turtle Kid and the awesome War Games ]
