Post on 03-Sep-2014
description
transcript
Application Security Forum - 2012Western Switzerland
7-8 novembre 2012Y-Parc / Yverdon-les-Bainshttps://www.appsec-forum.ch
AbusingTwitter APINicolas Seriot
Bio
• Cocoa developer
• HES Software Engineer
• MAS Eco. Crime Investigation
• Twitter user since July, 2008
• Father of a newborn
Agenda
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
2006 2007 2008 2009 2010 2011 2012
5000 22501M65
140M340M
Twee
ts/d
ay
promo.tweetsmobile
promo.tweetsweb
verifiedaccounts
(celebrities)Twitterlaunch
trendingtopics
nomoreRSS
last OS X client update
TweetDeckbuyout
Tweetiebuyout
DickCostolo
CEO
stricter ToS,display guidelines
API
HTTP Basic AuthenticationOAuth API v. 1.0
v. 1.1
now $8 billion valuation,top-10 most visited websites
March 2013: Maximum Evilness
“We’re trying to limit certain use casesthat occupy the upper-right quadrant.”
https://dev.twitter.com/blog/changes-coming-to-twitter-api
https://dev.twitter.com/terms/display-requirements
• The author’s name and @username must be displayed to the right of the avatar.
• Reply, Retweet and Favorite Tweet actions must always be available.
• No other 3rd party actions similar to Follow, Reply, Retweet may be attached to a Tweet.
• The Twitter logo or Follow button for the Tweet author must always be displayed.
• The Tweet timestamp must always be linked to the Tweet permalink.
• A timeline must not be rendered with non-Twitter content. e.g. from other networks.
"Developers ask us if they should build client apps that mimic or reproduce
the mainstream Twitter consumer client experience. The answer is no."
"We need to move to a less fragmented world, where every user can experience Twitter in a
consistent way."
https://groups.google.com/forum/#!msg/twitter-development-talk/
yCzVnHqHIWo/sC34r_ZyMLYJ
• Max. 100’000 users per Twitter client app.
• “Twitter discourages development in this area” https://dev.twitter.com/terms/api-terms
"Twitter obviously wants to make money by advertising in the stream. This will be impossible if all of the mechanisms aren't implemented to spec
within a client. They need full control of how the information is presented, and do not have the bandwidth to micromanage ads with third
parties to prevent fraud, poor presentation, etc,"
http://www.theverge.com/2012/7/9/3135406/twitter-api-open-closed-facebook-walled-garden
Developers ♥ Stupid Rules!
Breaking the Rules
• OAuth authentication for every API request
• "We reserve the right to revoke your app" https://dev.twitter.com/terms/api-terms
• Can a rogue client spoof the identity of a regular client and use the API as it wants?
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
http://hueniverse.com/2007/09/oauth-isnt-always-the-solution/
@nst021 bitly Twitter
request_token
authorize
“Use my account”
access_token
home_timeline green coin is for bitly and
@nst021
OA
uth
/ Web
@nst021 / iOS Twitter
request_token
authorize
access_token
home_timeline green coin is for bitly and
@nst021
OA
uth
/ Des
ktop
@nst021 / iOS Twitter
request_token
authorize
access_token
home_timeline green coin is for bitly and
@nst021
consumer_secret
consumer_key
access_secret
access_key
verifier
request_secret
request_key
PIN
: 3 p
hase
sA
uthe
ntic
atio
n
@nst021 / iOS Twitter
access_token
home_timeline green coin is for bitly and
@nst021
consumer_secret
consumer_key
access_secret
access_key
username
password
xAut
h: 1
pha
seA
uthe
ntic
atio
n
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
/usr/bin/strings
$ strings /Applications/Twitter.app/ \ Contents/MacOS/Twitter
3rJOl1ODzm9yZy63FACdg5jPo**************************************
Test the Tokens
demo
#!/usr/bin/env python
import tweepy
CONSUMER_KEY = '3rJOl1ODzm9yZy63FACdg'CONSUMER_SECRET = '5jPo**************************************'
auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)auth_url = auth.get_authorization_url()print "Please authorize:", auth_url
verifier = raw_input('PIN: ').strip()auth.get_access_token(verifier)
print "ACCESS_KEY:", auth.access_token.keyprint "ACCESS_SECRET:", auth.access_token.secret
/usr/bin/gdb$ gdb attach <PID of OS X accountsd>
(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po $raxtXvOrlJDmLnTfiUqJ3Kuw
(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po $raxAWcB**************************************
/usr/bin/gdb$ gdb attach <PID of iPhoneSimulator accountsd>
(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po (int*)$eaxWXZE9QillkIZpTANgLNT9g
(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po (int*)$eaxAau5**************************************
demo
Logging Freed Strings
$ sudo dtrace -n 'pid$target::free:entry { \ printf("%s", arg0 != NULL ? \ copyinstr(arg0) : \ "<NULL>"); }' -p 10123
Objective-C Variant@implementation NSString (XX)+ (void)load { Swizzle([NSString class], @selector(dealloc), @selector(my_dealloc));}- (void)my_dealloc { NSLog(@"%@", self); [self my_dealloc];}@end
(gdb) p (char)[[NSBundle bundleWithPath: @"/Library/Frameworks/XX.framework"] load]
Other Techniques
• Memory dump
$ sudo ./gcore64 -c /tmp/dump.bin 4149
$ strings dump.bin | sort -u > /tmp/dump.txt
# key=consumerSecret&$ egrep "[a-zA-Z0-9]{20}&$" /tmp/dump.txt
• Google…
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
OS X Twitter Credentials
Accounts.framework
@nst021xxxxxx
STTwitterAPIWrapper
+ twitterAPIWith... - getHomeTimeline - postStatus
STTwitterAPIWrapper
+ twitterAPIWith... - getHomeTimeline - postStatus
STTwitterOAuthProtocolSTTwitterOAuthProtocol
STOAuthOSXSTTwitterOAuth
STOAuthOSXSTHTTPRequest
Accounts.frameworkSocial.framework
STTw
itter
can use OS X consumer tokens…
…or can use custom consumer tokens
demo from 55.750984, 37.617571
STTwitter
https://github.com/nst/STTwitter
TwitHunter
https://github.com/nst/TwitHunter
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
1. Taking OAuth from web to Desktop was a conceptual error. Consumer tokens simply just cannot be kept secret on the Desktop.
2. Twitter cannot realistically revoke keys from popular clients, especially from OS X / iOS.
3. xAuth brings nothing more that HTTP Digest Authentication, and sends password in the request token phase.
4. OAuth cannot reliably identify the client, and additionally puts the users at risk.
OAuth Session Fixation Attack Demo
5. I have to conclude that the real grounds for using OAuth is neither “security” nor spam fighting but desire to control third-party client applications to please big media, consumers and advertisers.
6. Sadly for Twitter, ensuring that the requests come from a certain client application is a very hard problem, and I am not sure if it can be solved.
Recap
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Twitter: @nst021
Web: http://seriot.ch/abusing_twitter_api.php
Slides: http://www.slideshare.net/ASF-WS/presentations