Application Security Forum - 2012Western Switzerland

7-8 novembre 2012Y-Parc / Yverdon-les-Bainshttps://www.appsec-forum.ch

AbusingTwitter APINicolas Seriot

Bio

• Cocoa developer

• HES Software Engineer

• MAS Eco. Crime Investigation

• Twitter user since July, 2008

• Father of a newborn

Agenda

1. Twitter

2. OAuth

3. Ripping Consumer Tokens

4. iOS / OS X + STTwitter

5. Discussion

2006 2007 2008 2009 2010 2011 2012

5000 22501M65

140M340M

Twee

ts/d

ay

promo.tweetsmobile

promo.tweetsweb

verifiedaccounts

(celebrities)Twitterlaunch

trendingtopics

nomoreRSS

last OS X client update

TweetDeckbuyout

Tweetiebuyout

DickCostolo

CEO

stricter ToS,display guidelines

API

HTTP Basic AuthenticationOAuth API v. 1.0

v. 1.1

now $8 billion valuation,top-10 most visited websites

March 2013: Maximum Evilness

“We’re trying to limit certain use casesthat occupy the upper-right quadrant.”

https://dev.twitter.com/blog/changes-coming-to-twitter-api

https://dev.twitter.com/terms/display-requirements

• The author’s name and @username must be displayed to the right of the avatar.

• Reply, Retweet and Favorite Tweet actions must always be available.

• No other 3rd party actions similar to Follow, Reply, Retweet may be attached to a Tweet.

• The Twitter logo or Follow button for the Tweet author must always be displayed.

• The Tweet timestamp must always be linked to the Tweet permalink.

• A timeline must not be rendered with non-Twitter content. e.g. from other networks.

"Developers ask us if they should build client apps that mimic or reproduce

the mainstream Twitter consumer client experience. The answer is no."

"We need to move to a less fragmented world, where every user can experience Twitter in a

consistent way."

https://groups.google.com/forum/#!msg/twitter-development-talk/

yCzVnHqHIWo/sC34r_ZyMLYJ

• Max. 100’000 users per Twitter client app.

• “Twitter discourages development in this area” https://dev.twitter.com/terms/api-terms

"Twitter obviously wants to make money by advertising in the stream. This will be impossible if all of the mechanisms aren't implemented to spec

within a client. They need full control of how the information is presented, and do not have the bandwidth to micromanage ads with third

parties to prevent fraud, poor presentation, etc,"

http://www.theverge.com/2012/7/9/3135406/twitter-api-open-closed-facebook-walled-garden

Developers ♥ Stupid Rules!

Breaking the Rules

• OAuth authentication for every API request

• "We reserve the right to revoke your app" https://dev.twitter.com/terms/api-terms

• Can a rogue client spoof the identity of a regular client and use the API as it wants?

1. Twitter

2. OAuth

3. Ripping Consumer Tokens

4. iOS / OS X + STTwitter

5. Discussion

Agenda

http://hueniverse.com/2007/09/oauth-isnt-always-the-solution/

@nst021 bitly Twitter

request_token

authorize

“Use my account”

access_token

home_timeline green coin is for bitly and

@nst021

OA

uth

/ Web

@nst021 / iOS Twitter

request_token

authorize

access_token

home_timeline green coin is for bitly and

@nst021

OA

uth

/ Des

ktop

@nst021 / iOS Twitter

request_token

authorize

access_token

home_timeline green coin is for bitly and

@nst021

consumer_secret

consumer_key

access_secret

access_key

verifier

request_secret

request_key

PIN

: 3 p

hase

sA

uthe

ntic

atio

n

@nst021 / iOS Twitter

access_token

home_timeline green coin is for bitly and

@nst021

consumer_secret

consumer_key

access_secret

access_key

username

password

xAut

h: 1

pha

seA

uthe

ntic

atio

n

1. Twitter

2. OAuth

3. Ripping Consumer Tokens

4. iOS / OS X + STTwitter

5. Discussion

Agenda

/usr/bin/strings

$ strings /Applications/Twitter.app/ \ Contents/MacOS/Twitter

3rJOl1ODzm9yZy63FACdg5jPo**************************************

Test the Tokens

demo

#!/usr/bin/env python

import tweepy

CONSUMER_KEY = '3rJOl1ODzm9yZy63FACdg'CONSUMER_SECRET = '5jPo**************************************'

auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)auth_url = auth.get_authorization_url()print "Please authorize:", auth_url

verifier = raw_input('PIN: ').strip()auth.get_access_token(verifier)

print "ACCESS_KEY:", auth.access_token.keyprint "ACCESS_SECRET:", auth.access_token.secret

/usr/bin/gdb$ gdb attach <PID of OS X accountsd>

(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po $raxtXvOrlJDmLnTfiUqJ3Kuw

(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po $raxAWcB**************************************

/usr/bin/gdb$ gdb attach <PID of iPhoneSimulator accountsd>

(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po (int*)$eaxWXZE9QillkIZpTANgLNT9g

(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po (int*)$eaxAau5**************************************

demo

Logging Freed Strings

$ sudo dtrace -n 'pid$target::free:entry { \ printf("%s", arg0 != NULL ? \ copyinstr(arg0) : \ "<NULL>"); }' -p 10123

Objective-C Variant@implementation NSString (XX)+ (void)load { Swizzle([NSString class], @selector(dealloc), @selector(my_dealloc));}- (void)my_dealloc { NSLog(@"%@", self); [self my_dealloc];}@end

(gdb) p (char)[[NSBundle bundleWithPath: @"/Library/Frameworks/XX.framework"] load]

Other Techniques

• Memory dump

$ sudo ./gcore64 -c /tmp/dump.bin 4149

$ strings dump.bin | sort -u > /tmp/dump.txt

# key=consumerSecret&$ egrep "[a-zA-Z0-9]{20}&$" /tmp/dump.txt

• Google…

1. Twitter

2. OAuth

3. Ripping Consumer Tokens

4. iOS / OS X + STTwitter

5. Discussion

Agenda

OS X Twitter Credentials

Accounts.framework

@nst021xxxxxx

STTwitterAPIWrapper

+ twitterAPIWith... - getHomeTimeline - postStatus

STTwitterAPIWrapper

+ twitterAPIWith... - getHomeTimeline - postStatus

STTwitterOAuthProtocolSTTwitterOAuthProtocol

STOAuthOSXSTTwitterOAuth

STOAuthOSXSTHTTPRequest

Accounts.frameworkSocial.framework

STTw

itter

can use OS X consumer tokens…

…or can use custom consumer tokens

demo from 55.750984, 37.617571

STTwitter

https://github.com/nst/STTwitter

TwitHunter

https://github.com/nst/TwitHunter

1. Twitter

2. OAuth

3. Ripping Consumer Tokens

4. iOS / OS X + STTwitter

5. Discussion

Agenda

1. Taking OAuth from web to Desktop was a conceptual error. Consumer tokens simply just cannot be kept secret on the Desktop.

2. Twitter cannot realistically revoke keys from popular clients, especially from OS X / iOS.

3. xAuth brings nothing more that HTTP Digest Authentication, and sends password in the request token phase.

4. OAuth cannot reliably identify the client, and additionally puts the users at risk.

OAuth Session Fixation Attack Demo

5. I have to conclude that the real grounds for using OAuth is neither “security” nor spam fighting but desire to control third-party client applications to please big media, consumers and advertisers.

6. Sadly for Twitter, ensuring that the requests come from a certain client application is a very hard problem, and I am not sure if it can be solved.

Recap

1. Twitter

2. OAuth

3. Ripping Consumer Tokens

4. iOS / OS X + STTwitter

5. Discussion

Twitter: @nst021

Web: http://seriot.ch/abusing_twitter_api.php

Slides: http://www.slideshare.net/ASF-WS/presentations