Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
AbusingTwitter APINicolas Seriot                 Application Security Forum - 2012                                    West...
Bio• Cocoa developer• HES Software Engineer• MAS Eco. Crime Investigation• Twitter user since July, 2008• Father of a newb...
Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
Tweets/day      now $8 billion valuation,                             340M      top-10 most visited websites              ...
March 2013: Maximum Evilness       “We’re trying to limit certain use cases       that occupy the upper-right quadrant.” h...
•   The author’s name and @username must be displayed to the right of the avatar.•   Reply, Retweet and Favorite Tweet act...
• Max. 100’000 users per Twitter client app.        • “Twitter discourages development in this area”            https://de...
Developers ♥ Stupid Rules!"Twitter obviously wants to make money by advertising in the stream.This will be impossible if a...
Breaking the Rules• OAuth authentication for every API request• "We reserve the right to revoke your app"  https://dev.twi...
Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
http://hueniverse.com/2007/09/oauth-isnt-always-the-solution/
@nst021            bitly                    Twitter    “Use my account”                            request_token          ...
@nst021 / iOS             Twitter                                    OAuth / Desktop          request_token             au...
@nst021 / iOS             Twitter                                                 Authenticationrequest_secret            ...
@nst021 / iOS             Twitter                                                Authentication                           ...
Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
/usr/bin/strings$ strings /Applications/Twitter.app/            Contents/MacOS/Twitter3rJOl1ODzm9yZy63FACdg5jPo***********...
Test the Tokens#!/usr/bin/env pythonimport tweepyCONSUMER_KEY = 3rJOl1ODzm9yZy63FACdgCONSUMER_SECRET = 5jPo***************...
/usr/bin/gdb$ gdb attach <PID of OS X accountsd>(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po $raxtXvOrlJDmLnTfi...
/usr/bin/gdb$ gdb attach <PID of iPhoneSimulator accountsd>(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po (int*)$...
Logging Freed Strings$ sudo dtrace -n pid$target::free:entry {   printf("%s", arg0 != NULL ?                copyinstr(arg0...
Objective-C Variant@implementation NSString (XX)+ (void)load {     Swizzle([NSString class],     @selector(dealloc),     @...
Other Techniques• Memory dump $ sudo ./gcore64 -c /tmp/dump.bin 4149 $ strings dump.bin | sort -u > /tmp/dump.txt # key=co...
Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
OS X Twitter Credentials      Accounts.framework           @nst021           xxxxxx
can use OS X                      …or can use customconsumer tokens…                     consumer tokens                ST...
STTwitterhttps://github.com/nst/STTwitterdemo from 55.750984, 37.617571
TwitHunterhttps://github.com/nst/TwitHunter
Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
1. Taking OAuth from web to Desktop was a   conceptual error. Consumer tokens simply   just cannot be kept secret on the D...
5. I have to conclude that the real grounds for   using OAuth is neither “security” nor spam   fighting but desire to contr...
Recap1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
Twitter: @nst021Web: http://seriot.ch/abusing_twitter_api.phpSlides: http://www.slideshare.net/ASF-WS/presentations
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot
ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot
Upcoming SlideShare
Loading in …5
×

ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot

766 views

Published on

  • Be the first to comment

  • Be the first to like this

ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot

  1. 1. AbusingTwitter APINicolas Seriot Application Security Forum - 2012 Western Switzerland 7-8 novembre 2012 Y-Parc / Yverdon-les-Bains https://www.appsec-forum.ch
  2. 2. Bio• Cocoa developer• HES Software Engineer• MAS Eco. Crime Investigation• Twitter user since July, 2008• Father of a newborn
  3. 3. Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  4. 4. Tweets/day now $8 billion valuation, 340M top-10 most visited websites 140M 5000 1M 22 50 65 verified promo. Dick promo. no accounts trending tweets Costolo tweets moreTwitter (celebrities) topics web CEO mobile RSSlaunch 2006 2007 2008 2009 2010 2011 2012 Tweetie TweetDeck stricter ToS, buyout buyout display guidelines last OS X client update v. 1.1API OAuth API v. 1.0 HTTP Basic Authentication
  5. 5. March 2013: Maximum Evilness “We’re trying to limit certain use cases that occupy the upper-right quadrant.” https://dev.twitter.com/blog/changes-coming-to-twitter-api
  6. 6. • The author’s name and @username must be displayed to the right of the avatar.• Reply, Retweet and Favorite Tweet actions must always be available.• No other 3rd party actions similar to Follow, Reply, Retweet may be attached to a Tweet.• The Twitter logo or Follow button for the Tweet author must always be displayed.• The Tweet timestamp must always be linked to the Tweet permalink.• A timeline must not be rendered with non-Twitter content. e.g. from other networks. https://dev.twitter.com/terms/display-requirements
  7. 7. • Max. 100’000 users per Twitter client app. • “Twitter discourages development in this area” https://dev.twitter.com/terms/api-terms"Developers ask us if they should build client apps that mimic or reproducethe mainstream Twitter consumer client experience. The answer is no." "We need to move to a less fragmented world, where every user can experience Twitter in a consistent way."https://groups.google.com/forum/#! msg/twitter-development-talk/ yCzVnHqHIWo/sC34r_ZyMLYJ
  8. 8. Developers ♥ Stupid Rules!"Twitter obviously wants to make money by advertising in the stream.This will be impossible if all of the mechanisms arent implemented to spec within a client. They need full control of how the information is presented, and do not have the bandwidth to micromanage ads with third parties to prevent fraud, poor presentation, etc,"http://www.theverge.com/2012/7/9/3135406/twitter-api-open-closed- facebook-walled-garden
  9. 9. Breaking the Rules• OAuth authentication for every API request• "We reserve the right to revoke your app" https://dev.twitter.com/terms/api-terms• Can a rogue client spoof the identity of a regular client and use the API as it wants?
  10. 10. Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  11. 11. http://hueniverse.com/2007/09/oauth-isnt-always-the-solution/
  12. 12. @nst021 bitly Twitter “Use my account” request_token OAuth / Web authorize access_token home_timeline green coin is for bitly and @nst021
  13. 13. @nst021 / iOS Twitter OAuth / Desktop request_token authorize access_token home_timeline green coin is for bitly and @nst021
  14. 14. @nst021 / iOS Twitter Authenticationrequest_secret request_token PIN: 3 phasesrequest_keyconsumer_secretconsumer_key authorizeverifieraccess_secret access_tokenaccess_key home_timeline green coin is for bitly and @nst021
  15. 15. @nst021 / iOS Twitter Authentication xAuth: 1 phaseconsumer_secretconsumer_keyaccess_secret access_tokenaccess_keyusername home_timeline green coin ispassword for bitly and @nst021
  16. 16. Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  17. 17. /usr/bin/strings$ strings /Applications/Twitter.app/ Contents/MacOS/Twitter3rJOl1ODzm9yZy63FACdg5jPo**************************************
  18. 18. Test the Tokens#!/usr/bin/env pythonimport tweepyCONSUMER_KEY = 3rJOl1ODzm9yZy63FACdgCONSUMER_SECRET = 5jPo**************************************auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)auth_url = auth.get_authorization_url()print "Please authorize:", auth_urlverifier = raw_input(PIN: ).strip()auth.get_access_token(verifier)print "ACCESS_KEY:", auth.access_token.keyprint "ACCESS_SECRET:", auth.access_token.secret demo
  19. 19. /usr/bin/gdb$ gdb attach <PID of OS X accountsd>(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po $raxtXvOrlJDmLnTfiUqJ3Kuw(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po $raxAWcB**************************************
  20. 20. /usr/bin/gdb$ gdb attach <PID of iPhoneSimulator accountsd>(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po (int*)$eaxWXZE9QillkIZpTANgLNT9g(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po (int*)$eaxAau5************************************** demo
  21. 21. Logging Freed Strings$ sudo dtrace -n pid$target::free:entry { printf("%s", arg0 != NULL ? copyinstr(arg0) : "<NULL>"); } -p 10123
  22. 22. Objective-C Variant@implementation NSString (XX)+ (void)load { Swizzle([NSString class], @selector(dealloc), @selector(my_dealloc));}- (void)my_dealloc { NSLog(@"%@", self); [self my_dealloc];}@end(gdb) p (char)[[NSBundle bundleWithPath: @"/Library/Frameworks/XX.framework"] load]
  23. 23. Other Techniques• Memory dump $ sudo ./gcore64 -c /tmp/dump.bin 4149 $ strings dump.bin | sort -u > /tmp/dump.txt # key=consumerSecret& $ egrep "[a-zA-Z0-9]{20}&$" /tmp/dump.txt• Google…
  24. 24. Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  25. 25. OS X Twitter Credentials Accounts.framework @nst021 xxxxxx
  26. 26. can use OS X …or can use customconsumer tokens… consumer tokens STTwitterAPIWrapper + twitterAPIWith... - getHomeTimeline STTwitter - postStatus STTwitterOAuthProtocol STTwitterOAuth STOAuthOSX STHTTPRequest Accounts.framework Social.framework
  27. 27. STTwitterhttps://github.com/nst/STTwitterdemo from 55.750984, 37.617571
  28. 28. TwitHunterhttps://github.com/nst/TwitHunter
  29. 29. Agenda1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  30. 30. 1. Taking OAuth from web to Desktop was a conceptual error. Consumer tokens simply just cannot be kept secret on the Desktop.2. Twitter cannot realistically revoke keys from popular clients, especially from OS X / iOS.3. xAuth brings nothing more that HTTP Digest Authentication, and sends password in the request token phase.4. OAuth cannot reliably identify the client, and additionally puts the users at risk. OAuth Session Fixation Attack Demo
  31. 31. 5. I have to conclude that the real grounds for using OAuth is neither “security” nor spam fighting but desire to control third- party client applications to please big media, consumers and advertisers.6. Sadly for Twitter, ensuring that the requests come from a certain client application is a very hard problem, and I am not sure if it can be solved.
  32. 32. Recap1. Twitter2. OAuth3. Ripping Consumer Tokens4. iOS / OS X + STTwitter5. Discussion
  33. 33. Twitter: @nst021Web: http://seriot.ch/abusing_twitter_api.phpSlides: http://www.slideshare.net/ASF-WS/presentations

×