B-sides Las Vegas - social network security

1,942 views

Published on

A presentation I gave at the first b-sides Las Vegas security conference showing the security challenges we face going forward in the era of open-by-default social networking.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

B-sides Las Vegas - social network security

  1. 1. Twitter API Hacks Unicorns Hacks Unicorns <ul><li>Damon P. Cortesi </li></ul><ul><li>Alchemy Security, LLC </li></ul>Social Networking, Raping the Twitter API, the Age Before Firewalls/Unicorns and the Pitfalls of Rapid Application Development -- Crowd-sourced version. ;)
  2. 2. @dacort
  3. 3. A Twistory of Security #fail Security #fail
  4. 4. April 2008 <ul><li>CSRF (via @McGrewSecurity) </li></ul>
  5. 5. July 2008 <ul><li>Staging Server + SQL Debug </li></ul>
  6. 7. Fix <ul><li>Require Basic Auth </li></ul><ul><li>Limit by IP </li></ul><ul><li>Don’t expose to web </li></ul>
  7. 8. #FAIL <ul><li>Basic Auth not enabled on HTTPS </li></ul>
  8. 10. November 2008 <ul><li>TwitterRank “scam” </li></ul>
  9. 12. Password Security 5 Minutes Later
  10. 13. December 2008 <ul><li>XSS in newly deployed user search </li></ul>
  11. 14. December 2008 <ul><li>Information Disclosure Vulnerability </li></ul><ul><li>Any site could determine your Twitter username via nifty RESTful API and JSON callbacks. #buzzwords </li></ul>
  12. 15. Retrieve Username $.getJSON(&quot; http://twitter.com /statuses/user_timeline?count=1&callback=? &quot;, function(data) { alert(&quot;Username is: &quot; + data[0].user.screen_name ) }); {&quot;text&quot;:&quot;Pretty sure humans have kneecaps so we can slam them into tables. *ow*&quot;,&quot;truncated&quot;:false, &quot;user&quot; :{&quot;following&quot;:null,&quot;time_zone&quot;:&quot;Pacific Time (US & Canada)&quot;,&quot;description&quot;:&quot;Prof. Computer Security Consultant with a passion for breaking things and generating statistics (see http://tweetstats.com and http://ratemytalk.com).&quot;, &quot;screen_name&quot;:&quot;dacort&quot; ,&quot;utc_offset&quot;:-28800,&quot;profile_sidebar_border_color&quot;:&quot;87bc44&quot;,&quot;notifications&quot;:null,&quot;created_at&quot;:&quot;Thu Dec 21 07:14:05 +0000 2006&quot;,&quot;profile_text_color&quot;:&quot;000000&quot;,&quot;url&quot;:&quot;http://dcortesi.com&quot;,&quot;name&quot;:&quot;Damon Cortesi&quot;,&quot;statuses_count&quot;:21385,&quot;profile_background_image_url&quot;:&quot;http://static.twitter.com/images/themes/theme1/bg.gif&quot;,&quot;followers_count&quot;:4441,&quot;protected&quot;:false,&quot;profile_link_color&quot;:&quot;A100FF&quot;,&quot;profile_background_tile&quot;:false,&quot;friends_count&quot;:1775,&quot;profile_background_color&quot;:&quot;000000&quot;,&quot;verified&quot;:false,&quot;favourites_count&quot;:202,&quot;profile_image_url&quot;:&quot;http://s3.amazonaws.com/twitter_production/profile_images/90802743/Famous_Glasses_normal.jpg&quot;,&quot;location&quot;:&quot;Seattle, WA&quot;,&quot;id&quot;:99723,&quot;profile_sidebar_fill_color&quot;:&quot;e0ff92&quot;},&quot;in_reply_to_status_id&quot;:null,&quot;created_at&quot;:&quot;Mon Jul 27 21:37:53 +0000 2009&quot;,&quot;in_reply_to_user_id&quot;:null,&quot;favorited&quot;:false,&quot;in_reply_to_screen_name&quot;:null,&quot;id&quot;:2877957719,&quot;source&quot;:&quot;<a href=&quot;http:// www.atebits.com /&quot;>Tweetie</a>&quot;}
  13. 16. Courtesy of @harper
  14. 17. January 2009 <ul><li>Twitter admin interface compromised </li></ul><ul><li>Publicly accessible </li></ul><ul><li>Logins tied to employee Twitter accounts </li></ul><ul><li>Not to mention... </li></ul><ul><ul><li>“happiness” </li></ul></ul>
  15. 18. March 2009 <ul><li>Information disclosure </li></ul><ul><li>Account restoration </li></ul><ul><li>Deleted username -> Email </li></ul>
  16. 19. April 2009 <ul><li>Race to 1 million </li></ul><ul><li>4chan </li></ul><ul><ul><li>scripts and kiddies and captchas </li></ul></ul>
  17. 20. April 2009 <ul><li>Mikeyy Worm </li></ul><ul><li>( What is it with guys whose names end in “y” ) </li></ul><ul><li>Basic, run-of-the-mill XSS </li></ul>
  18. 22. April 2009 <ul><li>Mikeyy Worm </li></ul><ul><li>( What is it with guys whose names end in “y” ) </li></ul><ul><li>Basic, run-of-the-mill XSS </li></ul><ul><li>What is special is Twitter’s #FAIL </li></ul>
  19. 23. Saturday, April 11 Sunday, April 12
  20. 24. Monday, April 13 Friday, April 17
  21. 26. July 2009 <ul><li>Cloud insecurity ;) </li></ul>
  22. 27. Cloud Services <ul><li>When you don’t control the service </li></ul><ul><ul><li>You don’t know how vulnerable you are </li></ul></ul><ul><li>But </li></ul><ul><ul><li>No difference for a targeted attacker </li></ul></ul><ul><ul><li>Just different risks / attack vectors </li></ul></ul>
  23. 28. Cloud vs ? <ul><li>VPN vs. global access </li></ul><ul><li>Managed vs. unpatched/poorly managed </li></ul>
  24. 29. <ul><li>Server mis-configuration </li></ul><ul><li>Weak passwords </li></ul><ul><li>Cross-Site [Scripting|Request Forgery] </li></ul><ul><li>Information Disclosure </li></ul><ul><li>Spam </li></ul><ul><li>Phishing </li></ul>
  25. 30. Before I continue... <ul><li>Props to @a3lx (Alex Payne) and @netik (John Adams) </li></ul><ul><li>Keeping the security ship floating at Twitter </li></ul><ul><li>mod_memcache_block by netik </li></ul><ul><ul><li>Apache module that allows you to block access to your servers using a block list stored in memcache. </li></ul></ul>
  26. 31. Not just Twitter <ul><li>Users </li></ul><ul><ul><li>People love to click links </li></ul></ul><ul><ul><li>People are socializing in a huge public forum </li></ul></ul><ul><li>URL Shorteners </li></ul><ul><ul><li>Obfuscation, malware and virii, oh my! </li></ul></ul>
  27. 32. Phishing <ul><li>Users think nothing of clicking a link </li></ul><ul><ul><li>Entering their password </li></ul></ul><ul><li>Just yesterday - twitviewer.net </li></ul><ul><ul><li>Takes advantage of ego </li></ul></ul><ul><ul><li>Same thing on MySpace </li></ul></ul>
  28. 33. Malware || Misinformation <ul><li>Both spread via Twitter </li></ul>
  29. 34. Too easy...
  30. 35. But wait, there’s more
  31. 36. And MORE!
  32. 37. Users - #twitterpornname <ul><li>While your “Porn Name” may be a fun game to play amongst friends... </li></ul><ul><ul><li>1st Pet’s name + rand(‘street’, ‘teacher’) </li></ul></ul>
  33. 38. Oh, Shorteners...
  34. 40. TinyURL @rafallos
  35. 41. Third Parties <ul><li>TwitPic Integration from client apps </li></ul><ul><li>Is your password only local to the client app? </li></ul><ul><ul><li>Nope. Not if you “twitpic” something. </li></ul></ul>
  36. 42. Not just Twitter <ul><li>1 day of random sampling </li></ul><ul><li>>1,000 apps posting to Twitter </li></ul><ul><ul><li>Web, Mobile Web </li></ul></ul><ul><ul><li>Desktop </li></ul></ul><ul><li>>10,000 OAuth-registered apps </li></ul><ul><li>So when you say “secure Twitter” ... </li></ul>
  37. 43. OAuth Will Save us All
  38. 44. Not really... <ul><li>OAuth vulnerability required Twitter to shut down OAuth with no notice. </li></ul><ul><li>Only read and read/write </li></ul><ul><ul><li>Read includes DMs </li></ul></ul><ul><ul><li>Also, your “protected” friends’ accounts </li></ul></ul><ul><li>OAuth creds stored instead of passwords </li></ul><ul><ul><li>vi </li></ul></ul>
  39. 45. Again, Not just Twitter “ What Other Users Can See via the Facebook Platform” “ When a friend of yours allows an application to access their information, that application may also access any information about you that your friend can already see.”
  40. 46. #FAIL <ul><li>Applications will try to retain as much information about you as possible. </li></ul><ul><li>No personal firewall for SocNet’s yet. </li></ul><ul><li>Continually Eroding Privacy </li></ul><ul><ul><li>http://tweepsearch.com/search?query= &quot;works+at+apple&quot; </li></ul></ul><ul><ul><li>Seattle coffee shops </li></ul></ul>
  41. 47. In ur Cookies
  42. 48. The rest of Web 2.0 <ul><li>Another micro-blogging site </li></ul>
  43. 49. Info Disclosure <ul><li>Another micro-blogging service </li></ul><ul><li>User emails displayed on confirmation page </li></ul>
  44. 50. Poor Design <ul><li>Email Service </li></ul><ul><li>RSS feed of inbox </li></ul><ul><ul><li>Unauthenticated </li></ul></ul><ul><ul><li>HTTP </li></ul></ul>
  45. 51. Geo-Loc SQLi <ul><li>iPhone app - shows nearby updates </li></ul><ul><li>Integrated web site </li></ul><ul><li>SQL Injection </li></ul><ul><li>Reported twice, no response </li></ul><ul><ul><li>Geo-tracking ensues </li></ul></ul>
  46. 52. Web 2.0 Frameworks <ul><li>As of Django 1.0 (Sep 2008), HTML is auto-escaped </li></ul><ul><li>Does Rails? -------------------------- No </li></ul><ul><li>Does Google App Engine? -------- No </li></ul><ul><li>Does ASP.NET ---------------------- On built-in controls </li></ul><ul><ul><li>Also has built-in request validation </li></ul></ul>
  47. 54. Web 2.0 Frameworks <ul><li>As of Django 1.0 (Sep 2008), HTML is auto-escaped </li></ul><ul><li>Does Rails? -------------------------- No </li></ul><ul><li>Does Google App Engine? -------- No </li></ul><ul><li>Does ASP.NET ---------------------- On built-in controls </li></ul><ul><ul><li>Also has built-in request validation </li></ul></ul>
  48. 55. RESTful APIs <ul><li>Asking for some CSRF hurt </li></ul><ul><li>i.e. Updates not always restricted to POST </li></ul>
  49. 56. Why? <ul><li>Non-standard frameworks </li></ul><ul><li>Lack of awareness </li></ul><ul><li>Lack of standard disclosure channels </li></ul><ul><ul><li>Disclosure policies? </li></ul></ul>
  50. 57. Disclosure... <ul><li>So this guy, @quine </li></ul><ul><li>Blogged a blog... </li></ul>
  51. 58. Web Disclosure <ul><li>No clear lines </li></ul><ul><li>Ambulance chasers </li></ul><ul><li>Potential for legal action </li></ul><ul><li>Little vendor responsibility </li></ul><ul><li>More trouble than it’s worth </li></ul>
  52. 59. Solutions? <ul><li>OSVDB Extension? </li></ul><ul><li>Separate entity? </li></ul><ul><li>You tell me? </li></ul>

×