Simon Willison’s Weblog

Items tagged security, twitter

Filters: security × twitter ×


The Anatomy Of The Twitter Attack. Long-winded explanation of the recent Twitter break-in, but you can scroll to the bottom for a numbered list summary. The attacker first broke in to a Twitter employee’s personal Gmail account by “recovering” it against an expired Hotmail account (which the attacker could hence register themselves). They gained access to more passwords by searching for e-mails from badly implemented sites that send you your password in the clear. # 20th July 2009, 12:55 am

17-year-old claims responsibility for Twitter worm. It was a text book XSS attack—the URL on the user profile wasn’t properly escaped, allowing an attacker to insert a script element linking out to externally hosted JavaScript which then used Ajax to steal any logged-in user’s anti-CSRF token and use it to self-replicate in to their profile. # 12th April 2009, 7:22 pm

Twitter Don’t Click Exploit. Someone ran a successful ClickJacking exploit against Twitter users, using a transparent iframe holding the Twitter homepage with a status message fed in by a query string parameter. Thiss will definitely help raise awareness of ClickJacking! Twitter has now added framebusting JavaScript to prevent the exploit. # 12th February 2009, 7:56 pm

Rate limiting with memcached

On Monday, several high profile “celebrity” Twitter accounts started spouting nonsense, the victims of stolen passwords. Wired has the full story—someone ran a dictionary attack against a Twitter staff member, discovered their password and used Twitter’s admin tools to reset the passwords on the accounts they wanted to steal.

[... 910 words]

Weak Password Brings “Happiness” to Twitter Hacker. The full story on the Twitter admin account hack. I bet there are a LOT of web applications out there that don’t track and rate-limit failed password attempts. # 7th January 2009, 12:04 pm

The Twitter administrator hack was a dictionary attack. I quoted Blaine earlier suggesting that the recent Twitter mass-hack was due to a Twitter admin password being scooped up by a rogue third party application—this was not the case, as Alex Payne explains in a comment. # 6th January 2009, 11:56 pm

As more details become available, it seems what happened is that a Twitter administrator (i.e., employee) gave their password to a 3rd party site because their API requires it, which was then used to compromise Twitter’s admin interface.

Blaine Cook # 6th January 2009, 9:37 am

The username/password key’s major disadvantage is that it open all the doors to the house. The OAuth key only opens a couple doors; the scope of the credentials is limited. That’s a benefit, to be sure, but in Twitter’s case, a malicious application that registered for OAuth with both read and write privileges can do most evil things a user might be worried about.

Alex Payne # 5th January 2009, 10:47 am

Antipatterns for sale. Twply collected over 800 Twitter usernames and passwords (OAuth can’t arrive soon enough) and was promptly auctioned off on SitePoint to the highest bidder. # 2nd January 2009, 10:48 am

Now You Can Sign Into Friend Connect Sites With Your Twitter ID. Great. Now even Google is asking me for my Twitter password. Slow clap. How’s that Twitter OAuth beta coming along? # 15th December 2008, 5:20 pm

OAuth came out of my worry that if the Twitter API became popular, we’d be spreading passwords all around the web. OAuth took longer to finish than it took for the Twitter API to become popular, and as a result many Twitter users’ passwords are scattered pretty carelessly around the web. This is a terrible situation, and one we as responsible web developers should work to prevent.

Blaine Cook # 14th August 2008, 10:01 am

The statement that the password anti-pattern “teaches users to be phished” should be rephrased “has taught users to be phished”

Me, on Twitter # 13th August 2008, 12:52 pm

WebRunner 0.7—New and Improved. A simple application for running a site-specific browser for a service (e.g. Twitter, Gmail etc). This is a great idea: it isolates your other browser windows from crashes and also isolates your cookies, helping guard against CSRF attacks. # 27th September 2007, 1:55 pm

The Twitter API Respects Your Privacy. Not Twitter’s fault: The users who exposed their data through Twittervision had given that site their username and password; Twittervision was failing to hide protected updates. # 24th May 2007, 11:37 pm

There’s a hole in your Twitter. If you’ve been using friends-only messages on Twitter they may currently be exposed via the API. # 24th May 2007, 5:03 pm