2. AppSec 2012
Twitter relied on OAuth to
control 3rd party clients.
Bad idea! secret tokens
are easy to extract.
Leaked consumer secrets can
result in API abuses, DoS and
session fixation attacks.
5. consumer_secret
consumer_key
token
user_timeline
bearer_token
And now you can
invalidate the
bearer token.
Denial of service
for “Some App.”!
invalidate_token
violet token is
for Some App.
https://dev.twitter.com/docs/auth/application-only-auth
Use the consumer
tokens to get the
bearer token and
exhaust the limits.
Denial of service.
Twitter
App. Only
Authentication
Some App.
6. UniBinary
Pack 289+ ASCII chars or 209+ bytes into 140 chinese characters.
https://github.com/nst/UniBinary
7. Core Text Crasher
$ gdb Twitter
(gdb) r
Starting program: /Applications/Twitter.app/Contents/MacOS/Twitter
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x00000001084e8008
0x00007fff9432ead2 in vDSP_sveD ()
(gdb) bt
#0 0x00007fff9432ead2 in vDSP_sveD ()
#1 0x00007fff934594fe in TStorageRange::SetStorageSubRange ()
#2 0x00007fff93457d5c in TRun::TRun ()
8. The vulnerable code has probably been in the wild for
yonks; some people noticed it six months ago and it
appeared on some slides [PDF] in April for a Hack In The
Box conference presentation. Barely anyone took any
notice back then - but it started to spread around the
web over the weekend after a trigger string appeared on
a Russian website.
http://www.theregister.co.uk/
2013/09/04/unicode_of_death_crash/
11. Twitter
✓ CS is not shipped
with My.app.
request_key
consumer_secret
consumer_key
My.app
access_token
access_secret
access_key
iOS_secret
iOS_key
Reverse
Auth.
request_token
✗ Users unknowingly grants
My.app access to her DMs.
My.app Server
home_timeline
https://dev.twitter.com/docs/ios/using-reverse-auth
My.app Server
green tokens are for
@nst021 with
My.app
12. Twitter / iOS Integration
• How does Twitter identify the application
sending requests through iOS frameworks ?
• TWRequest (iOS 5) adds an
application_id param to each
request (eg. ch.seriot.myApp)
• SLRequest (iOS 6+) does not!
15. POST https://api.twitter.com/1/account/generate.json
Authorization: OAuth
oauth_nonce="C4E16213-9058-49E8-A06E-65A5D961EED0",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1378598935",
oauth_consumer_key="IHUYavQ7mmPBhNiBBlF9Q",
oauth_token="8285392-niqOtDvwwUXOzQJsCvDxcPndUBHb4dWrTLXw1nTw",
oauth_signature="V6ySPsviDz%2BJnTvBFoE2qpHJv70%3D",
oauth_version="1.0"
adc:
discoverable_by_email:
email:
geo_enabled:
lang:
name:
password:
screen_name:
send_error_codes:
time_zone:
pad
0
EMAIL
0
en
NAME
PASSWORD
SCREEN_NAME
true
CEST
Related consumer secret is
easy to find with GDB
attached to iOS Simulator.
No need to fill captchas
anymore :)
17. “Almost” OAuth
3.2.
Verifying Requests
✗ (nonce, timestamp, token)
can be reused across requests.
Servers receiving an authenticated request MUST validate it by:
(...)
o
3.3.
If using the "HMAC-SHA1" or "RSA-SHA1" signature methods, ensuring
that the combination of nonce/timestamp/token (if present)
received from the client has not been used before in a previous
request (the server MAY reject requests with stale timestamps as
described in Section 3.3).
Nonce and Timestamp
✗ nonce can be fixed.
(...)
A nonce is a random string, uniquely generated by the client to allow
the server to verify that a request has never been made before and
helps prevent replay attacks when requests are made over a non-secure
channel. The nonce value MUST be unique across all requests with the
same timestamp, client credentials, and token combinations.
http://tools.ietf.org/html/rfc5849
20. Looking for Ads
• Still no clues about promoted contents.
Let’s start our favorite SSL proxy!
Twitter.app
SSL proxy
api.twitter.com
• Does’t work because of certificate pinning.
• Binary patching FTW!