SlideShare una empresa de Scribd logo

ASFWS 2013 Rump Session - Abusing Twitter API One year later… Nicolas Seriot

Cyber Security Alliance
Cyber Security Alliance
Tecnología
1 de 27
Descargar para leer sin conexión
Abusing Twitter API Nicolas Seriot er… lat ar ye ne O Application Security Forum - 2012 Western Switzerland 7-8 novembre 2012 Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
AppSec 2012 Twitter relied on OAuth to control 3rd party clients. Bad idea! secret tokens are easy to extract. Leaked consumer secrets can result in API abuses, DoS and session fixation attacks.
HITB 2013 Amsterdam @boblord
HITB, April 10th April 23rd, 2013
consumer_secret consumer_key token user_timeline bearer_token And now you can invalidate the bearer token. Denial of service for “Some App.”! invalidate_token violet token is for Some App. https://dev.twitter.com/docs/auth/application-only-auth Use the consumer tokens to get the bearer token and exhaust the limits. Denial of service. Twitter App. Only Authentication Some App.
UniBinary Pack 289+ ASCII chars or 209+ bytes into 140 chinese characters. https://github.com/nst/UniBinary
Core Text Crasher $ gdb Twitter (gdb) r Starting program: /Applications/Twitter.app/Contents/MacOS/Twitter Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x00000001084e8008 0x00007fff9432ead2 in vDSP_sveD () (gdb) bt #0 0x00007fff9432ead2 in vDSP_sveD () #1 0x00007fff934594fe in TStorageRange::SetStorageSubRange () #2 0x00007fff93457d5c in TRun::TRun ()
The vulnerable code has probably been in the wild for yonks; some people noticed it six months ago and it appeared on some slides [PDF] in April for a Hack In The Box conference presentation. Barely anyone took any notice back then - but it started to spread around the web over the weekend after a trigger string appeared on a Russian website. http://www.theregister.co.uk/ 2013/09/04/unicode_of_death_crash/
http://www.lemondeinformatique.fr/ actualites/lire-un-developpeur-detourne-lafonction-oauth-de-twitter-53213.html
Since HITB
Twitter ✓ CS is not shipped with My.app. request_key consumer_secret consumer_key My.app access_token access_secret access_key iOS_secret iOS_key Reverse Auth. request_token ✗ Users unknowingly grants My.app access to her DMs. My.app Server home_timeline https://dev.twitter.com/docs/ios/using-reverse-auth My.app Server green tokens are for @nst021 with My.app
Twitter / iOS Integration • How does Twitter identify the application sending requests through iOS frameworks ? • TWRequest (iOS 5) adds an application_id param to each request (eg. ch.seriot.myApp) • SLRequest (iOS 6+) does not!
Accounts Creation No Captcha Captcha Web iOS Settings
Create Accounts in Batch
POST https://api.twitter.com/1/account/generate.json Authorization: OAuth oauth_nonce="C4E16213-9058-49E8-A06E-65A5D961EED0", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1378598935", oauth_consumer_key="IHUYavQ7mmPBhNiBBlF9Q", oauth_token="8285392-niqOtDvwwUXOzQJsCvDxcPndUBHb4dWrTLXw1nTw", oauth_signature="V6ySPsviDz%2BJnTvBFoE2qpHJv70%3D", oauth_version="1.0" adc: discoverable_by_email: email: geo_enabled: lang: name: password: screen_name: send_error_codes: time_zone: pad 0 EMAIL 0 en NAME PASSWORD SCREEN_NAME true CEST Related consumer secret is easy to find with GDB attached to iOS Simulator. No need to fill captchas anymore :)
Weird Consumer Identity WTF?!
“Almost” OAuth 3.2. Verifying Requests ✗ (nonce, timestamp, token) can be reused across requests. Servers receiving an authenticated request MUST validate it by: (...) o 3.3. If using the "HMAC-SHA1" or "RSA-SHA1" signature methods, ensuring that the combination of nonce/timestamp/token (if present) received from the client has not been used before in a previous request (the server MAY reject requests with stale timestamps as described in Section 3.3). Nonce and Timestamp ✗ nonce can be fixed. (...) A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations. http://tools.ietf.org/html/rfc5849
Promoted Contents No Ad Ad
Undocumented API? $ strings Twitter ... activity/about_me.json activity/by_friends.json conversation/show.json discover/highlight.json discover/universal.json statuses/:id/activity/summary.json statuses/media_timeline.json statuses/mentions_timeline.json timeline/home.json trends/available.json users/recommendations.json ...
Looking for Ads • Still no clues about promoted contents. Let’s start our favorite SSL proxy! Twitter.app SSL proxy api.twitter.com • Does’t work because of certificate pinning. • Binary patching FTW!
-[ABHTTPRequest connection:willSendRequestForAuthenticationChallenge:] ... 0x00260cd4 45F2EA50 movw r0, #0x55ea 0x00260cd8 3246 mov r2, r6 0x00260cda C0F23900 movt r0, #0x39 0x00260cde 7844 add r0, pc ; 0x5f62cc 0x00260ce0 0168 ldr r1, [r0] ; @selector(_isPinnedCertificateChain:) 0x00260ce2 2046 mov r0, r4 0x00260ce4 B0F1DEEC blx imp___picsymbolstub4__objc_msgSend ; BOOL isPinned = [self _isPinnedCertificateChain:object]; 0x00260ce8 0446 0x00260cea 2846 0x00260cec B0F1FAEC mov mov blx r4, r0 r0, r5 imp___picsymbolstub4__objc_release 0x00260cf0 14F0FF0F 0x00260cf4 40F08E80 ... tst.w bne.w r4, #0xff 0x260e14 ; Z = (r4 & 0xff) == 0 ; Z = (r4 == 0) ; if(isPinned) { ; goto 0x260e14; // continue handling the request ; } else { ; return error; ; }
ARM THUMB Instruction Set https://ece.uwaterloo.ca/~ece222/ARM/ARM7-TDMI-manual-pt3.pdf
Crafting Opcode 1110 0... .... .... ; opcode format 0x00260e14 - 0x00260cf4 = 0x120 ; offset 0000 0001 0010 0000 0000 0000 1001 0000 1110 0... .... .... ___________________ 1110 0000 1001 0000 0xE 0x0 0x9 0x0 ; 0x120 ; 0x120 >> 1 ; format ; 0xE090 -> 0x90E0 little endian
-[ABHTTPRequest connection:willSendRequestForAuthenticationChallenge:] ... 0x00260cd4 45F2EA50 movw r0, #0x55ea 0x00260cd8 3246 mov r2, r6 0x00260cda C0F23900 movt r0, #0x39 0x00260cde 7844 add r0, pc ; 0x5f62cc 0x00260ce0 0168 ldr r1, [r0] ; @selector(_isPinnedCertificateChain:) 0x00260ce2 2046 mov r0, r4 0x00260ce4 B0F1DEEC blx imp___picsymbolstub4__objc_msgSend ; BOOL isPinned = [self _isPinnedCertificateChain:object]; 0x00260ce8 0446 0x00260cea 2846 0x00260cec B0F1FAEC - 0x00260cf0 14F0FF0F + 0x00260cf0 90E0FF0F 0x00260cf4 40F08E80 ... mov mov blx r4, r0 r0, r5 imp___picsymbolstub4__objc_release tst.w b bne.w r4, #0xff 0x260e14 0x260e14 ; Z = (r4 & 0xff) == 0 ; Z = (r4 == 0) ; jump to happy path (FF0F is unused) ; never reached ; goto 0x260e14; // continue handling the request ; ; ; return error; ;
My 2 Bytes
Promoted Contents Secret &pc=true
Twitter: @nst021 Web: http://seriot.ch/abusing_twitter_api.php Slides: http://www.slideshare.net/ASF-WS/presentations

Recomendados

Module 14 (sql injection)
Module 14 (sql injection)Module 14 (sql injection)
Module 14 (sql injection)Wail Hassan
 
innovative organization culture - shared
innovative organization culture - sharedinnovative organization culture - shared
innovative organization culture - sharedLene Krogh Jeppesen
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Developing apps using Perl
Developing apps using PerlDeveloping apps using Perl
Developing apps using PerlAnatoly Sharifulin
 

Recomendados

Module 14 (sql injection)
Module 14 (sql injection)Module 14 (sql injection)
Module 14 (sql injection)Wail Hassan
 
innovative organization culture - shared
innovative organization culture - sharedinnovative organization culture - shared
innovative organization culture - sharedLene Krogh Jeppesen
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
CIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCIS14: OAuth and OpenID Connect in Action
CIS14: OAuth and OpenID Connect in ActionCloudIDSummit
 
Developing apps using Perl
Developing apps using PerlDeveloping apps using Perl
Developing apps using PerlAnatoly Sharifulin
 
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...PROIDEA
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...Cyber Security Alliance
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Api
ApiApi
Apirandyhoyt
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
Liferay workshop
Liferay workshopLiferay workshop
Liferay workshopahmadsayed
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDSebastián Guerrero Selma
 
How Secure Is Your Secure API?
How Secure Is Your Secure API?How Secure Is Your Secure API?
How Secure Is Your Secure API?Colin McGovern
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying RESTKirsten Hunter
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudVMware Tanzu
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraPetr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraWebExpo
 
- Webexpo 2010
- Webexpo 2010- Webexpo 2010
- Webexpo 2010Petr Dvorak
 
Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ SwisscomCyber Security Alliance
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 

Más contenido relacionado

Similar a ASFWS 2013 Rump Session - Abusing Twitter API One year later… Nicolas Seriot

CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...PROIDEA
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuthVivastream
 
O auth how_to
O auth how_toO auth how_to
O auth how_tovivaqa
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...Cyber Security Alliance
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedCalvin Noronha
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Liferay workshop
Liferay workshopLiferay workshop
Liferay workshopahmadsayed
 
How Secure Is Your Secure API?
How Secure Is Your Secure API?How Secure Is Your Secure API?
How Secure Is Your Secure API?Colin McGovern
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudVMware Tanzu
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityYu-Shuan Hsieh
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonStefan Streichsbier
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
 
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraPetr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraWebExpo
 

Similar a ASFWS 2013 Rump Session - Abusing Twitter API One year later… Nicolas Seriot (20)

CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
 
Authorization with oAuth
Authorization with oAuthAuthorization with oAuth
Authorization with oAuth
 
O auth how_to
O auth how_toO auth how_to
O auth how_to
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails example
 
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twit...
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Api
ApiApi
Api
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Liferay workshop
Liferay workshopLiferay workshop
Liferay workshop
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
How Secure Is Your Secure API?
How Secure Is Your Secure API?How Secure Is Your Secure API?
How Secure Is Your Secure API?
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Securing Microservices in Hybrid Cloud
Securing Microservices in Hybrid CloudSecuring Microservices in Hybrid Cloud
Securing Microservices in Hybrid Cloud
 
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication SecurityChrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
 
Avoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might thinkAvoiding Cross Site Scripting - Not as easy as you might think
Avoiding Cross Site Scripting - Not as easy as you might think
 
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraPetr Dvořák: Mobilní webové služby pohledem iPhone developera
Petr Dvořák: Mobilní webové služby pohledem iPhone developera
 
- Webexpo 2010
- Webexpo 2010- Webexpo 2010
- Webexpo 2010
 

Más de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 

Más de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Easy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 fEasy public-private-keys-strong-authentication-using-u2 f
Easy public-private-keys-strong-authentication-using-u2 f
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsec
 

Último

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 

ASFWS 2013 Rump Session - Abusing Twitter API One year later… Nicolas Seriot

  • 1. Abusing Twitter API Nicolas Seriot er… lat ar ye ne O Application Security Forum - 2012 Western Switzerland 7-8 novembre 2012 Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
  • 2. AppSec 2012 Twitter relied on OAuth to control 3rd party clients. Bad idea! secret tokens are easy to extract. Leaked consumer secrets can result in API abuses, DoS and session fixation attacks.
  • 5. consumer_secret consumer_key token user_timeline bearer_token And now you can invalidate the bearer token. Denial of service for “Some App.”! invalidate_token violet token is for Some App. https://dev.twitter.com/docs/auth/application-only-auth Use the consumer tokens to get the bearer token and exhaust the limits. Denial of service. Twitter App. Only Authentication Some App.
  • 6. UniBinary Pack 289+ ASCII chars or 209+ bytes into 140 chinese characters. https://github.com/nst/UniBinary
  • 7. Core Text Crasher $ gdb Twitter (gdb) r Starting program: /Applications/Twitter.app/Contents/MacOS/Twitter Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x00000001084e8008 0x00007fff9432ead2 in vDSP_sveD () (gdb) bt #0 0x00007fff9432ead2 in vDSP_sveD () #1 0x00007fff934594fe in TStorageRange::SetStorageSubRange () #2 0x00007fff93457d5c in TRun::TRun ()
  • 8. The vulnerable code has probably been in the wild for yonks; some people noticed it six months ago and it appeared on some slides [PDF] in April for a Hack In The Box conference presentation. Barely anyone took any notice back then - but it started to spread around the web over the weekend after a trigger string appeared on a Russian website. http://www.theregister.co.uk/ 2013/09/04/unicode_of_death_crash/
  • 11. Twitter ✓ CS is not shipped with My.app. request_key consumer_secret consumer_key My.app access_token access_secret access_key iOS_secret iOS_key Reverse Auth. request_token ✗ Users unknowingly grants My.app access to her DMs. My.app Server home_timeline https://dev.twitter.com/docs/ios/using-reverse-auth My.app Server green tokens are for @nst021 with My.app
  • 12. Twitter / iOS Integration • How does Twitter identify the application sending requests through iOS frameworks ? • TWRequest (iOS 5) adds an application_id param to each request (eg. ch.seriot.myApp) • SLRequest (iOS 6+) does not!
  • 15. POST https://api.twitter.com/1/account/generate.json Authorization: OAuth oauth_nonce="C4E16213-9058-49E8-A06E-65A5D961EED0", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1378598935", oauth_consumer_key="IHUYavQ7mmPBhNiBBlF9Q", oauth_token="8285392-niqOtDvwwUXOzQJsCvDxcPndUBHb4dWrTLXw1nTw", oauth_signature="V6ySPsviDz%2BJnTvBFoE2qpHJv70%3D", oauth_version="1.0" adc: discoverable_by_email: email: geo_enabled: lang: name: password: screen_name: send_error_codes: time_zone: pad 0 EMAIL 0 en NAME PASSWORD SCREEN_NAME true CEST Related consumer secret is easy to find with GDB attached to iOS Simulator. No need to fill captchas anymore :)
  • 17. “Almost” OAuth 3.2. Verifying Requests ✗ (nonce, timestamp, token) can be reused across requests. Servers receiving an authenticated request MUST validate it by: (...) o 3.3. If using the "HMAC-SHA1" or "RSA-SHA1" signature methods, ensuring that the combination of nonce/timestamp/token (if present) received from the client has not been used before in a previous request (the server MAY reject requests with stale timestamps as described in Section 3.3). Nonce and Timestamp ✗ nonce can be fixed. (...) A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations. http://tools.ietf.org/html/rfc5849
  • 19. Undocumented API? $ strings Twitter ... activity/about_me.json activity/by_friends.json conversation/show.json discover/highlight.json discover/universal.json statuses/:id/activity/summary.json statuses/media_timeline.json statuses/mentions_timeline.json timeline/home.json trends/available.json users/recommendations.json ...
  • 20. Looking for Ads • Still no clues about promoted contents. Let’s start our favorite SSL proxy! Twitter.app SSL proxy api.twitter.com • Does’t work because of certificate pinning. • Binary patching FTW!
  • 21. -[ABHTTPRequest connection:willSendRequestForAuthenticationChallenge:] ... 0x00260cd4 45F2EA50 movw r0, #0x55ea 0x00260cd8 3246 mov r2, r6 0x00260cda C0F23900 movt r0, #0x39 0x00260cde 7844 add r0, pc ; 0x5f62cc 0x00260ce0 0168 ldr r1, [r0] ; @selector(_isPinnedCertificateChain:) 0x00260ce2 2046 mov r0, r4 0x00260ce4 B0F1DEEC blx imp___picsymbolstub4__objc_msgSend ; BOOL isPinned = [self _isPinnedCertificateChain:object]; 0x00260ce8 0446 0x00260cea 2846 0x00260cec B0F1FAEC mov mov blx r4, r0 r0, r5 imp___picsymbolstub4__objc_release 0x00260cf0 14F0FF0F 0x00260cf4 40F08E80 ... tst.w bne.w r4, #0xff 0x260e14 ; Z = (r4 & 0xff) == 0 ; Z = (r4 == 0) ; if(isPinned) { ; goto 0x260e14; // continue handling the request ; } else { ; return error; ; }
  • 22. ARM THUMB Instruction Set https://ece.uwaterloo.ca/~ece222/ARM/ARM7-TDMI-manual-pt3.pdf
  • 23. Crafting Opcode 1110 0... .... .... ; opcode format 0x00260e14 - 0x00260cf4 = 0x120 ; offset 0000 0001 0010 0000 0000 0000 1001 0000 1110 0... .... .... ___________________ 1110 0000 1001 0000 0xE 0x0 0x9 0x0 ; 0x120 ; 0x120 >> 1 ; format ; 0xE090 -> 0x90E0 little endian
  • 24. -[ABHTTPRequest connection:willSendRequestForAuthenticationChallenge:] ... 0x00260cd4 45F2EA50 movw r0, #0x55ea 0x00260cd8 3246 mov r2, r6 0x00260cda C0F23900 movt r0, #0x39 0x00260cde 7844 add r0, pc ; 0x5f62cc 0x00260ce0 0168 ldr r1, [r0] ; @selector(_isPinnedCertificateChain:) 0x00260ce2 2046 mov r0, r4 0x00260ce4 B0F1DEEC blx imp___picsymbolstub4__objc_msgSend ; BOOL isPinned = [self _isPinnedCertificateChain:object]; 0x00260ce8 0446 0x00260cea 2846 0x00260cec B0F1FAEC - 0x00260cf0 14F0FF0F + 0x00260cf0 90E0FF0F 0x00260cf4 40F08E80 ... mov mov blx r4, r0 r0, r5 imp___picsymbolstub4__objc_release tst.w b bne.w r4, #0xff 0x260e14 0x260e14 ; Z = (r4 & 0xff) == 0 ; Z = (r4 == 0) ; jump to happy path (FF0F is unused) ; never reached ; goto 0x260e14; // continue handling the request ; ; ; return error; ;