ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot
Upcoming SlideShare
Loading in...5
×
 

ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot

on

  • 789 views

 

Statistics

Views

Total Views
789
Views on SlideShare
789
Embed Views
0

Actions

Likes
0
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot Presentation Transcript

  • AbusingTwitter APINicolas Seriot Application Security Forum - 2012 Western Switzerland 7-8 novembre 2012 Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
  • Bio• Cocoa developer• HES Software Engineer• MAS Eco. Crime Investigation• Twitter user since July, 2008• Father of a newborn
  • Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  • Tweets/day now $8 billion valuation, 340M top-10 most visited websites 140M 5000 1M 22 50 65 verified promo. Dick promo. no accounts trending tweets Costolo tweets moreTwitter (celebrities) topics web CEO mobile RSSlaunch 2006 2007 2008 2009 2010 2011 2012 Tweetie TweetDeck stricter ToS, buyout buyout display guidelines last OS X client update v. 1.1API OAuth API v. 1.0 HTTP Basic Authentication
  • March 2013: Maximum Evilness “We’re trying to limit certain use cases that occupy the upper-right quadrant.” https://dev.twitter.com/blog/changes-coming-to-twitter-api
  • • The author’s name and @username must be displayed to the right of the avatar.• Reply, Retweet and Favorite Tweet actions must always be available.• No other 3rd party actions similar to Follow, Reply, Retweet may be attached to a Tweet.• The Twitter logo or Follow button for the Tweet author must always be displayed.• The Tweet timestamp must always be linked to the Tweet permalink.• A timeline must not be rendered with non-Twitter content. e.g. from other networks. https://dev.twitter.com/terms/display-requirements
  • • Max. 100’000 users per Twitter client app. • “Twitter discourages development in this area” https://dev.twitter.com/terms/api-terms"Developers ask us if they should build client apps that mimic or reproducethe mainstream Twitter consumer client experience. The answer is no." "We need to move to a less fragmented world, where every user can experience Twitter in a consistent way."https://groups.google.com/forum/#! msg/twitter-development-talk/ yCzVnHqHIWo/sC34r_ZyMLYJ
  • Developers ♥ Stupid Rules!"Twitter obviously wants to make money by advertising in the stream.This will be impossible if all of the mechanisms arent implemented to spec within a client. They need full control of how the information is presented, and do not have the bandwidth to micromanage ads with third parties to prevent fraud, poor presentation, etc,"http://www.theverge.com/2012/7/9/3135406/twitter-api-open-closed- facebook-walled-garden
  • Breaking the Rules• OAuth authentication for every API request• "We reserve the right to revoke your app" https://dev.twitter.com/terms/api-terms• Can a rogue client spoof the identity of a regular client and use the API as it wants?
  • Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  • http://hueniverse.com/2007/09/oauth-isnt-always-the-solution/
  • @nst021 bitly Twitter “Use my account” request_token OAuth / Web authorize access_token home_timeline green coin is for bitly and @nst021
  • @nst021 / iOS Twitter OAuth / Desktop request_token authorize access_token home_timeline green coin is for bitly and @nst021
  • @nst021 / iOS Twitter Authenticationrequest_secret request_token PIN: 3 phasesrequest_keyconsumer_secretconsumer_key authorizeverifieraccess_secret access_tokenaccess_key home_timeline green coin is for bitly and @nst021
  • @nst021 / iOS Twitter Authentication xAuth: 1 phaseconsumer_secretconsumer_keyaccess_secret access_tokenaccess_keyusername home_timeline green coin ispassword for bitly and @nst021
  • Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  • /usr/bin/strings$ strings /Applications/Twitter.app/ Contents/MacOS/Twitter3rJOl1ODzm9yZy63FACdg5jPo**************************************
  • Test the Tokens#!/usr/bin/env pythonimport tweepyCONSUMER_KEY = 3rJOl1ODzm9yZy63FACdgCONSUMER_SECRET = 5jPo**************************************auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)auth_url = auth.get_authorization_url()print "Please authorize:", auth_urlverifier = raw_input(PIN: ).strip()auth.get_access_token(verifier)print "ACCESS_KEY:", auth.access_token.keyprint "ACCESS_SECRET:", auth.access_token.secret demo
  • /usr/bin/gdb$ gdb attach <PID of OS X accountsd>(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po $raxtXvOrlJDmLnTfiUqJ3Kuw(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po $raxAWcB**************************************
  • /usr/bin/gdb$ gdb attach <PID of iPhoneSimulator accountsd>(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po (int*)$eaxWXZE9QillkIZpTANgLNT9g(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po (int*)$eaxAau5************************************** demo
  • Logging Freed Strings$ sudo dtrace -n pid$target::free:entry { printf("%s", arg0 != NULL ? copyinstr(arg0) : "<NULL>"); } -p 10123
  • Objective-C Variant@implementation NSString (XX)+ (void)load { Swizzle([NSString class], @selector(dealloc), @selector(my_dealloc));}- (void)my_dealloc { NSLog(@"%@", self); [self my_dealloc];}@end(gdb) p (char)[[NSBundle bundleWithPath: @"/Library/Frameworks/XX.framework"] load]
  • Other Techniques• Memory dump $ sudo ./gcore64 -c /tmp/dump.bin 4149 $ strings dump.bin | sort -u > /tmp/dump.txt # key=consumerSecret& $ egrep "[a-zA-Z0-9]{20}&$" /tmp/dump.txt• Google…
  • Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  • OS X Twitter Credentials Accounts.framework @nst021 xxxxxx
  • can use OS X …or can use customconsumer tokens… consumer tokens STTwitterAPIWrapper + twitterAPIWith... - getHomeTimeline STTwitter - postStatus STTwitterOAuthProtocol STTwitterOAuth STOAuthOSX STHTTPRequest Accounts.framework Social.framework
  • STTwitterhttps://github.com/nst/STTwitterdemo from 55.750984, 37.617571
  • TwitHunterhttps://github.com/nst/TwitHunter
  • Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  • 1. Taking OAuth from web to Desktop was a conceptual error. Consumer tokens simply just cannot be kept secret on the Desktop.2. Twitter cannot realistically revoke keys from popular clients, especially from OS X / iOS.3. xAuth brings nothing more that HTTP Digest Authentication, and sends password in the request token phase.4. OAuth cannot reliably identify the client, and additionally puts the users at risk. OAuth Session Fixation Attack Demo
  • 5. I have to conclude that the real grounds for using OAuth is neither “security” nor spam fighting but desire to control third- party client applications to please big media, consumers and advertisers.6. Sadly for Twitter, ensuring that the requests come from a certain client application is a very hard problem, and I am not sure if it can be solved.
  • Recap1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  • Twitter: @nst021Web: http://seriot.ch/abusing_twitter_api.phpSlides: http://www.slideshare.net/ASF-WS/presentations