abusing twitter api - seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · •...
TRANSCRIPT
![Page 1: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/1.jpg)
Application Security Forum - 2012Western Switzerland
7-8 novembre 2012Y-Parc / Yverdon-les-Bainshttps://www.appsec-forum.ch
AbusingTwitter APINicolas Seriot
![Page 2: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/2.jpg)
![Page 3: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/3.jpg)
Bio
• Cocoa developer
• HES Software Engineer
• MAS Eco. Crime Investigation
• Twitter user since July, 2008
• Father of a newborn
![Page 4: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/4.jpg)
Agenda
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
![Page 5: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/5.jpg)
2006 2007 2008 2009 2010 2011 2012
5000 22501M65
140M340M
Twee
ts/d
ay
promo.tweetsmobile
promo.tweetsweb
verifiedaccounts
(celebrities)Twitterlaunch
trendingtopics
nomoreRSS
last OS X client update
TweetDeckbuyout
Tweetiebuyout
DickCostolo
CEO
stricter ToS,display guidelines
API
HTTP Basic AuthenticationOAuth API v. 1.0
v. 1.1
now $8 billion valuation,top-10 most visited websites
![Page 6: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/6.jpg)
March 2013: Maximum Evilness
“We’re trying to limit certain use casesthat occupy the upper-right quadrant.”
https://dev.twitter.com/blog/changes-coming-to-twitter-api
![Page 7: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/7.jpg)
https://dev.twitter.com/terms/display-requirements
• The author’s name and @username must be displayed to the right of the avatar.
• Reply, Retweet and Favorite Tweet actions must always be available.
• No other 3rd party actions similar to Follow, Reply, Retweet may be attached to a Tweet.
• The Twitter logo or Follow button for the Tweet author must always be displayed.
• The Tweet timestamp must always be linked to the Tweet permalink.
• A timeline must not be rendered with non-Twitter content. e.g. from other networks.
![Page 8: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/8.jpg)
"Developers ask us if they should build client apps that mimic or reproduce
the mainstream Twitter consumer client experience. The answer is no."
"We need to move to a less fragmented world, where every user can experience Twitter in a
consistent way."
https://groups.google.com/forum/#!msg/twitter-development-talk/
yCzVnHqHIWo/sC34r_ZyMLYJ
• Max. 100’000 users per Twitter client app.
• “Twitter discourages development in this area” https://dev.twitter.com/terms/api-terms
![Page 9: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/9.jpg)
"Twitter obviously wants to make money by advertising in the stream. This will be impossible if all of the mechanisms aren't implemented to spec
within a client. They need full control of how the information is presented, and do not have the bandwidth to micromanage ads with third
parties to prevent fraud, poor presentation, etc,"
http://www.theverge.com/2012/7/9/3135406/twitter-api-open-closed-facebook-walled-garden
Developers ♥ Stupid Rules!
![Page 10: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/10.jpg)
Breaking the Rules
• OAuth authentication for every API request
• "We reserve the right to revoke your app" https://dev.twitter.com/terms/api-terms
• Can a rogue client spoof the identity of a regular client and use the API as it wants?
![Page 11: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/11.jpg)
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
![Page 12: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/12.jpg)
http://hueniverse.com/2007/09/oauth-isnt-always-the-solution/
![Page 13: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/13.jpg)
@nst021 bitly Twitter
request_token
authorize
“Use my account”
access_token
home_timeline green coin is for bitly and
@nst021
OA
uth
/ Web
![Page 14: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/14.jpg)
@nst021 / iOS Twitter
request_token
authorize
access_token
home_timeline green coin is for bitly and
@nst021
OA
uth
/ Des
ktop
![Page 15: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/15.jpg)
@nst021 / iOS Twitter
request_token
authorize
access_token
home_timeline green coin is for bitly and
@nst021
consumer_secret
consumer_key
access_secret
access_key
verifier
request_secret
request_key
PIN
: 3 p
hase
sA
uthe
ntic
atio
n
![Page 16: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/16.jpg)
@nst021 / iOS Twitter
access_token
home_timeline green coin is for bitly and
@nst021
consumer_secret
consumer_key
access_secret
access_key
username
password
xAut
h: 1
pha
seA
uthe
ntic
atio
n
![Page 17: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/17.jpg)
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
![Page 18: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/18.jpg)
/usr/bin/strings
$ strings /Applications/Twitter.app/ \ Contents/MacOS/Twitter
3rJOl1ODzm9yZy63FACdg5jPo**************************************
![Page 19: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/19.jpg)
Test the Tokens
demo
#!/usr/bin/env python
import tweepy
CONSUMER_KEY = '3rJOl1ODzm9yZy63FACdg'CONSUMER_SECRET = '5jPo**************************************'
auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)auth_url = auth.get_authorization_url()print "Please authorize:", auth_url
verifier = raw_input('PIN: ').strip()auth.get_access_token(verifier)
print "ACCESS_KEY:", auth.access_token.keyprint "ACCESS_SECRET:", auth.access_token.secret
![Page 20: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/20.jpg)
/usr/bin/gdb$ gdb attach <PID of OS X accountsd>
(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po $raxtXvOrlJDmLnTfiUqJ3Kuw
(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po $raxAWcB**************************************
![Page 21: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/21.jpg)
/usr/bin/gdb$ gdb attach <PID of iPhoneSimulator accountsd>
(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po (int*)$eaxWXZE9QillkIZpTANgLNT9g
(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po (int*)$eaxAau5**************************************
demo
![Page 22: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/22.jpg)
Logging Freed Strings
$ sudo dtrace -n 'pid$target::free:entry { \ printf("%s", arg0 != NULL ? \ copyinstr(arg0) : \ "<NULL>"); }' -p 10123
![Page 23: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/23.jpg)
Objective-C Variant@implementation NSString (XX)+ (void)load { Swizzle([NSString class], @selector(dealloc), @selector(my_dealloc));}- (void)my_dealloc { NSLog(@"%@", self); [self my_dealloc];}@end
(gdb) p (char)[[NSBundle bundleWithPath: @"/Library/Frameworks/XX.framework"] load]
![Page 24: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/24.jpg)
Other Techniques
• Memory dump
$ sudo ./gcore64 -c /tmp/dump.bin 4149
$ strings dump.bin | sort -u > /tmp/dump.txt
# key=consumerSecret&$ egrep "[a-zA-Z0-9]{20}&$" /tmp/dump.txt
• Google…
![Page 25: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/25.jpg)
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
![Page 26: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/26.jpg)
OS X Twitter Credentials
Accounts.framework
@nst021xxxxxx
![Page 27: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/27.jpg)
STTwitterAPIWrapper
+ twitterAPIWith... - getHomeTimeline - postStatus
STTwitterAPIWrapper
+ twitterAPIWith... - getHomeTimeline - postStatus
STTwitterOAuthProtocolSTTwitterOAuthProtocol
STOAuthOSXSTTwitterOAuth
STOAuthOSXSTHTTPRequest
Accounts.frameworkSocial.framework
STTw
itter
can use OS X consumer tokens…
…or can use custom consumer tokens
![Page 28: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/28.jpg)
demo from 55.750984, 37.617571
STTwitter
https://github.com/nst/STTwitter
![Page 29: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/29.jpg)
TwitHunter
https://github.com/nst/TwitHunter
![Page 30: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/30.jpg)
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
![Page 31: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/31.jpg)
1. Taking OAuth from web to Desktop was a conceptual error. Consumer tokens simply just cannot be kept secret on the Desktop.
2. Twitter cannot realistically revoke keys from popular clients, especially from OS X / iOS.
3. xAuth brings nothing more that HTTP Digest Authentication, and sends password in the request token phase.
4. OAuth cannot reliably identify the client, and additionally puts the users at risk.
OAuth Session Fixation Attack Demo
![Page 32: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/32.jpg)
![Page 33: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/33.jpg)
5. I have to conclude that the real grounds for using OAuth is neither “security” nor spam fighting but desire to control third-party client applications to please big media, consumers and advertisers.
6. Sadly for Twitter, ensuring that the requests come from a certain client application is a very hard problem, and I am not sure if it can be solved.
![Page 34: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/34.jpg)
Recap
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
![Page 35: Abusing Twitter API - Seriotseriot.ch/resources/abusing_twitter_api/abusing_twitter_api.pdf · • Reply, Retweet and Favorite Tweet actions must always be available. • No other](https://reader034.vdocuments.site/reader034/viewer/2022051814/60399c4551aeca130426faee/html5/thumbnails/35.jpg)
Twitter: @nst021
Web: http://seriot.ch/abusing_twitter_api.php
Slides: http://www.slideshare.net/ASF-WS/presentations