ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot
1. Abusing
Twitter API
Nicolas Seriot
Application Security Forum - 2012
Western Switzerland
7-8 novembre 2012
Y-Parc / Yverdon-les-Bains
https://www.appsec-forum.ch
2.
3. Bio
• Cocoa developer
• HES Software Engineer
• MAS Eco. Crime Investigation
• Twitter user since July, 2008
• Father of a newborn
5. Tweets/day
now $8 billion valuation, 340M
top-10 most visited websites
140M
5000 1M 22 50 65
verified promo. Dick promo. no
accounts trending tweets Costolo tweets more
Twitter (celebrities) topics web CEO mobile RSS
launch
2006 2007 2008 2009 2010 2011 2012
Tweetie TweetDeck stricter ToS,
buyout buyout display guidelines
last OS X client update
v. 1.1
API
OAuth API v. 1.0
HTTP Basic Authentication
6. March 2013: Maximum Evilness
“We’re trying to limit certain use cases
that occupy the upper-right quadrant.”
https://dev.twitter.com/blog/changes-coming-to-twitter-api
7. • The author’s name and @username must be displayed to the right of the avatar.
• Reply, Retweet and Favorite Tweet actions must always be available.
• No other 3rd party actions similar to Follow, Reply, Retweet may be attached to a Tweet.
• The Twitter logo or Follow button for the Tweet author must always be displayed.
• The Tweet timestamp must always be linked to the Tweet permalink.
• A timeline must not be rendered with non-Twitter content. e.g. from other networks.
https://dev.twitter.com/terms/display-requirements
8. • Max. 100’000 users per Twitter client app.
• “Twitter discourages development in this area”
https://dev.twitter.com/terms/api-terms
"Developers ask us if they should build
client apps that mimic or reproduce
the mainstream Twitter consumer client
experience. The answer is no."
"We need to move to a less
fragmented world, where every user
can experience Twitter in a
consistent way."
https://groups.google.com/forum/#!
msg/twitter-development-talk/
yCzVnHqHIWo/sC34r_ZyMLYJ
9. Developers ♥ Stupid Rules!
"Twitter obviously wants to make money by advertising in the stream.
This will be impossible if all of the mechanisms aren't implemented to spec
within a client. They need full control of how the information is
presented, and do not have the bandwidth to micromanage ads with third
parties to prevent fraud, poor presentation, etc,"
http://www.theverge.com/2012/7/9/3135406/twitter-api-open-closed-
facebook-walled-garden
10. Breaking the Rules
• OAuth authentication for every API request
• "We reserve the right to revoke your app"
https://dev.twitter.com/terms/api-terms
• Can a rogue client spoof the identity of a
regular client and use the API as it wants?
20. /usr/bin/gdb
$ gdb attach <PID of OS X accountsd>
(gdb) b -[OACredential consumerKey]
(gdb) finish
(gdb) po $rax
tXvOrlJDmLnTfiUqJ3Kuw
(gdb) b -[OACredential consumerSecret]
(gdb) finish
(gdb) po $rax
AWcB**************************************
21. /usr/bin/gdb
$ gdb attach <PID of iPhoneSimulator accountsd>
(gdb) b -[OACredential consumerKey]
(gdb) finish
(gdb) po (int*)$eax
WXZE9QillkIZpTANgLNT9g
(gdb) b -[OACredential consumerSecret]
(gdb) finish
(gdb) po (int*)$eax
Aau5**************************************
demo
26. OS X Twitter Credentials
Accounts.framework
@nst021
xxxxxx
27. can use OS X …or can use custom
consumer tokens… consumer tokens
STTwitterAPIWrapper
+ twitterAPIWith...
- getHomeTimeline
STTwitter
- postStatus
STTwitterOAuthProtocol
STTwitterOAuth
STOAuthOSX
STHTTPRequest
Accounts.framework
Social.framework
31. 1. Taking OAuth from web to Desktop was a
conceptual error. Consumer tokens simply
just cannot be kept secret on the Desktop.
2. Twitter cannot realistically revoke keys from
popular clients, especially from OS X / iOS.
3. xAuth brings nothing more that HTTP Digest
Authentication, and sends password in the
request token phase.
4. OAuth cannot reliably identify the client, and
additionally puts the users at risk.
OAuth Session Fixation Attack Demo
32.
33. 5. I have to conclude that the real grounds for
using OAuth is neither “security” nor spam
fighting but desire to control third-
party client applications to please big
media, consumers and advertisers.
6. Sadly for Twitter, ensuring that the requests
come from a certain client application is a
very hard problem, and I am not sure if it
can be solved.