b-sides las vegas - social network security
DESCRIPTION
A presentation I gave at the first b-sides Las Vegas security conference showing the security challenges we face going forward in the era of open-by-default social networking.TRANSCRIPT
![Page 1: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/1.jpg)
Twitter API Hacks Unicorns
Damon P. CortesiAlchemy Security, LLC
Social Networking, Raping the Twitter API, the Age Before Firewalls/Unicorns and the Pitfalls of Rapid Application Development -- Crowd-sourced version. ;)
![Page 2: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/2.jpg)
@dacort
![Page 3: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/3.jpg)
A Twistory of Security #fail
![Page 4: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/4.jpg)
April 2008
•CSRF (via @McGrewSecurity)
![Page 5: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/5.jpg)
July 2008
•Staging Server + SQL Debug
![Page 6: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/6.jpg)
![Page 7: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/7.jpg)
Fix
•Require Basic Auth
•Limit by IP
•Don’t expose to web
![Page 8: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/8.jpg)
#FAIL
•Basic Auth not enabled on HTTPS
![Page 9: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/9.jpg)
![Page 10: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/10.jpg)
November 2008•TwitterRank “scam”
![Page 11: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/11.jpg)
![Page 12: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/12.jpg)
Password Security5 5
Minutes Minutes LaterLater
![Page 13: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/13.jpg)
December 2008•XSS in newly deployed user search
![Page 14: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/14.jpg)
December 2008•Information Disclosure
Vulnerability
•Any site could determine your Twitter username via nifty RESTful API and JSON callbacks. #buzzwords
![Page 15: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/15.jpg)
Retrieve Username
$.getJSON("http://twitter.com/statuses/user_timeline?count=1&callback=?", function(data) { alert("Username is: " + data[0].user.screen_name) });
{"text":"Pretty sure humans have kneecaps so we can slam them into tables. *ow*","truncated":false,"user":{"following":null,"time_zone":"Pacific Time (US & Canada)","description":"Prof. Computer Security Consultant with a passion for breaking things and generating statistics (see http:\/\/tweetstats.com
and http:\/\/ratemytalk.com).","screen_name":"dacort","utc_offset":-28800,"profile_sidebar_border_color":"87bc44","notifications":null,"created_at":"Thu Dec 21 07:14:05 +0000 2006","profile_text_color":"000000","url":"http:\/\/dcortesi.com","name":"Damon Cortesi","statuses_count":21385,"profile_background_image_url":"http:\/\/static.twitter.com\/images\/themes\/theme1\/bg.gif","followers_count":4441,"protected":false,"profile_link_color":"A100FF","profile_background_tile":false,"friends_count":1775,"profile_background_color":"000000","verified":false,"favourites_count":202,"profile_image_url":"http:\/\/s3.amazonaws.com\/twitter_production\/profile_images\/90802743\/Famous_Glasses_normal.jpg","location":"Seattle, WA","id":99723,"profile_sidebar_fill_color":"e0ff92"},"in_reply_to_status_id":null,"created_at":"Mon Jul 27 21:37:53 +0000 2009","in_reply_to_user_id":null,"favorited":false,"in_reply_to_screen_name":null,"id":2877957719,"source":"<a href=\"http:\/\/www.atebits.com\/\">Tweetie<\/a>"}
![Page 16: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/16.jpg)
Courtesy of @harper
![Page 17: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/17.jpg)
January 2009•Twitter admin interface
compromised
•Publicly accessible
•Logins tied to employee Twitter accounts
•Not to mention...
•“happiness”
![Page 18: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/18.jpg)
March 2009
•Information disclosure
•Account restoration
•Deleted username -> Email
![Page 19: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/19.jpg)
April 2009
•Race to 1 million
•4chan
•scripts and kiddies and captchas
![Page 20: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/20.jpg)
April 2009
•Mikeyy Worm
• (What is it with guys whose names end in “y”)
•Basic, run-of-the-mill XSS
![Page 21: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/21.jpg)
![Page 22: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/22.jpg)
April 2009
•Mikeyy Worm
• (What is it with guys whose names end in “y”)
•Basic, run-of-the-mill XSS
•What is special is Twitter’s #FAIL
![Page 23: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/23.jpg)
Saturday, April 11
Sunday, April 12
![Page 24: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/24.jpg)
Monday, April 13
Friday, April 17
![Page 25: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/25.jpg)
![Page 26: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/26.jpg)
July 2009•Cloud insecurity ;)
![Page 27: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/27.jpg)
Cloud Services•When you don’t control the service
•You don’t know how vulnerable you are
•But
•No difference for a targeted attacker
•Just different risks / attack vectors
![Page 28: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/28.jpg)
Cloud vs ?
•VPN vs. global access
•Managed vs. unpatched/poorly managed
![Page 29: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/29.jpg)
•Server mis-configuration
•Weak passwords
•Cross-Site [Scripting|Request Forgery]
• Information Disclosure
•Spam
•Phishing
![Page 30: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/30.jpg)
Before I continue...•Props to @a3lx (Alex Payne) and
@netik (John Adams)
•Keeping the security ship floating at Twitter
•mod_memcache_block by netik
•Apache module that allows you to block access to your servers using a block list stored in memcache.
![Page 31: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/31.jpg)
Not just Twitter•Users
•People love to click links
•People are socializing in a huge public forum
•URL Shorteners
•Obfuscation, malware and virii, oh my!
![Page 32: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/32.jpg)
Phishing•Users think nothing of clicking a
link
•Entering their password
•Just yesterday - twitviewer.net
•Takes advantage of ego
•Same thing on MySpace
![Page 33: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/33.jpg)
Malware || Misinformation
•Both spread via Twitter
![Page 34: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/34.jpg)
Too easy...
![Page 35: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/35.jpg)
But wait, there’s more
![Page 36: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/36.jpg)
And MORE!
![Page 37: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/37.jpg)
Users - #twitterpornname•While your “Porn Name” may be a
fun game to play amongst friends...
•1st Pet’s name + rand(‘street’, ‘teacher’)
![Page 38: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/38.jpg)
Oh, Shorteners...
![Page 39: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/39.jpg)
![Page 40: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/40.jpg)
TinyURL
@rafallos
![Page 41: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/41.jpg)
Third Parties
•TwitPic Integration from client apps
•Is your password only local to the client app?
•Nope. Not if you “twitpic” something.
![Page 42: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/42.jpg)
Not just Twitter•1 day of random sampling
•>1,000 apps posting to Twitter
•Web, Mobile Web
•Desktop
•>10,000 OAuth-registered apps
•So when you say “secure Twitter” ...
![Page 43: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/43.jpg)
OAuth Will Save us All
![Page 44: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/44.jpg)
Not really...•OAuth vulnerability required Twitter to
shut down OAuth with no notice.
•Only read and read/write
•Read includes DMs
•Also, your “protected” friends’ accounts
•OAuth creds stored instead of passwords
•vi
![Page 45: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/45.jpg)
Again, Not just Twitter
“What Other Users Can See via the Facebook Platform”“When a friend of yours allows an application to access their information,
that application may also access any information about you that your friend can already see.”
![Page 46: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/46.jpg)
#FAIL•Applications will try to retain as much
information about you as possible.
•No personal firewall for SocNet’s yet.
•Continually Eroding Privacy
•http://tweepsearch.com/search?query="works+at+apple"
•Seattle coffee shops
![Page 47: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/47.jpg)
In ur Cookies
![Page 48: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/48.jpg)
The rest of Web 2.0•Another micro-blogging site
![Page 49: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/49.jpg)
Info Disclosure
•Another micro-blogging service
•User emails displayed on confirmation page
![Page 50: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/50.jpg)
Poor Design
•Email Service
•RSS feed of inbox
•Unauthenticated
•HTTP
![Page 51: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/51.jpg)
Geo-Loc SQLi•iPhone app - shows nearby updates
•Integrated web site
•SQL Injection
•Reported twice, no response
•Geo-tracking ensues
![Page 52: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/52.jpg)
Web 2.0 Frameworks•As of Django 1.0 (Sep 2008), HTML
is auto-escaped
•Does Rails? -------------------------- No
•Does Google App Engine? -------- No
•Does ASP.NET ---------------------- On built-in controls
•Also has built-in request validation
![Page 53: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/53.jpg)
![Page 54: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/54.jpg)
Web 2.0 Frameworks•As of Django 1.0 (Sep 2008), HTML
is auto-escaped
•Does Rails? -------------------------- No
•Does Google App Engine? -------- No
•Does ASP.NET ---------------------- On built-in controls
•Also has built-in request validation
![Page 55: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/55.jpg)
RESTful APIs
•Asking for some CSRF hurt
•i.e. Updates not always restricted to POST
![Page 56: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/56.jpg)
Why?
•Non-standard frameworks
•Lack of awareness
•Lack of standard disclosure channels
•Disclosure policies?
![Page 57: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/57.jpg)
Disclosure...
•So this guy, @quine
•Blogged a blog...
![Page 58: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/58.jpg)
Web Disclosure
•No clear lines
•Ambulance chasers
•Potential for legal action
•Little vendor responsibility
•More trouble than it’s worth
![Page 59: B-sides Las Vegas - social network security](https://reader035.vdocuments.us/reader035/viewer/2022070304/54c65b2a4a7959e9438b45eb/html5/thumbnails/59.jpg)
Solutions?
•OSVDB Extension?
•Separate entity?
•You tell me?