Jump to content
akkiliON

Twitter fixes bug that enabled takeover of any account !

Recommended Posts

  • Active Members
Posted

twitter_auth-680x400.jpg

Security researcher Henry Hoggard recently discovered a cross site request forgery (CSRF) vulnerability in Twitter’s “add a mobile device” feature, giving him the ability to read direct messages and tweet from any account.

Hoggard, a security researcher at MWRInfosecurity, told Threatpost via email that he found the bug in his spare time and reported it to Twitter. Twitter then resolved the vulnerability within 24 hours. Hoggard then posted the details on his personal blog.

Related Posts

Marketplace for Phony Twitter Followers is Big Business

November 5, 2013 , 10:54 am

Threatpost News Wrap, August 30, 2013

August 30, 2013 , 9:20 am

Researchers Put a Dent in the Twitter Underground

August 15, 2013 , 10:09 am

A CSRF vulnerability forces a user to execute unwanted actions in an application or service for which that user is already authenticated. These attacks generally involve some social engineering such as sending an email with a malicious attachment. When successful, an attacker can wrest control of a user’s account, which could have a wide range of impacts depending on the application in question and the level of rights granted to the targeted user.

In this case, Hoggard found the CSRF bug in a Twitter feature that gives users the ability to add a mobile device to their account and control that account via SMS using the mobile device added.

By creating a CSRF page, Hoggard realized that an attacker could enter his own phone number and network to the victim’s account. Of course, Twitter built an authentication token into the feature that should have prevented this sort of attack. Unfortunately, Twitter was not actually checking to make sure that the token-value was correct, which means that an attacker could enter any value whatsoever for the token and still get validated.

Hoggard claims that an attacker could compromise a victim account by sending the targeted user a link to a malicious website containing his exploit code (the CSRF page plus a link to Twitter’s “add a device” activation page).

If the user clicks the link, he or she will be unwittingly initiating the process to authenticate the attacker’s device. Twitter, therefore, would be waiting for someone (in this case the attacker) to text “GO” to the mobile short code number that activates the device.

Once this is done, the attacker would receive a device activation notification and would now have the ability to send and receive tweets by texting his or her desired message to the same mobile short code number.

Users with the No-Script extension installed on their browser would not have been affected by this vulnerability even before Twitter fixed it, according to the researcher.

Twitter did not respond to a request for comment, but Hoggard provided communication logs between himself and the social network’s application security team, noting that Twitter fixed the bug incredibly quickly. The logs show that Twitter received his bug report on the morning of November 3, requesting that Hoggard not publicize his findings immediately. Early that same afternoon, the logs indicate that Twitter had resolved the issue.

Twitter Fixes Bug that Enabled Takeover of Any Account | Threatpost | The First Stop For Security News

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...