Some App. Twitter auth Use the consumer y- tokens to get the token onl bearer token and exhaust the limits. y tion- Denial of service. nl tion ica ca appl consumer_secret user_timeline . O /auth/ consumer_key docs bearer_token App m/ .co And now you can invalidate_token itter invalidate the Authenti bearer token. violet token is ://dev.tw Denial of service for Some App. for “Some App.”! https
Core Text Crasher $ gdb Twitter (gdb) r Starting program: /Applications/Twitter.app/Contents/MacOS/Twitter Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x00000001084e8008 0x00007fff9432ead2 in vDSP_sveD () (gdb) bt #0 0x00007fff9432ead2 in vDSP_sveD () #1 0x00007fff934594fe in TStorageRange::SetStorageSubRange () #2 0x00007fff93457d5c in TRun::TRun () #3 0x00007fff934579ee in CTGlyphRun::CloneRange () #4 0x00007fff93466764 in TLine::SetLevelRange () #5 0x00007fff93467e2c in TLine::SetTrailingWhitespaceLevel () #6 0x00007fff93467d58 in TRunReorder::ReorderRuns () #7 0x00007fff93467bfe in TTypesetter::FinishLineFill () #8 0x00007fff934858ae in TFramesetter::FrameInRect () #9 0x00007fff93485110 in TFramesetter::CreateFrame () #10 0x00007fff93484af2 in CTFramesetterCreateFrame () ...
The vulnerable code has probably been in the wild for yonks; some people noticed it six months ago and it appeared on some slides [PDF] in April for a Hack In The Box conference presentation. Barely anyone took any notice back then - but it started to spread around the web over the weekend after a trigger string appeared on a Russian website. http://www.theregister.co.uk/ 2013/09/04/unicode_of_death_crash/
My.app Server Twitter auth e- request_token -revers request_key ✓ CS is not shipped ing with My.app. e consumer_secret /ios/us My.app docs consumer_key vers m/ access_token .co itter ✗ Users unknowingly grants Re Auth.
access_secret My.app access to her DMs. ://dev.tw access_key My.app Server https iOS_secret home_timeline green tokens are for @nst021 with iOS_key My.app
Twitter / iOS Integration • How does Twitter identify the application sending requests through iOS frameworks ? • TWRequest (iOS 5) adds an application_id param to each request (eg. ch.seriot.myApp) • SLRequest (iOS 6+) does not!
Accounts Creation No Captcha Captcha Web iOS Settings
Create Accounts in Batch
POST https://api.twitter.com/1/account/generate.json Authorization: OAuth \ oauth_nonce="C4E16213-9058-49E8-A06E-65A5D961EED0", \ oauth_signature_method="HMAC-SHA1", \ oauth_timestamp="1378598935", \ oauth_consumer_key="IHUYavQ7mmPBhNiBBlF9Q", \ oauth_token="8285392-niqOtDvwwUXOzQJsCvDxcPndUBHb4dWrTLXw1nTw", \ oauth_signature="V6ySPsviDz%2BJnTvBFoE2qpHJv70%3D", \ oauth_version="1.0" adc: pad discoverable_by_email: 0 Related consumer secret is email: EMAIL easy to find with GDB geo_enabled: 0 attached to iOS Simulator. lang: en name: NAME password: PASSWORD No need to fill captchas screen_name: SCREEN_NAME anymore :) send_error_codes: true time_zone: CEST
Weird Consumer Identity WTF?!
“Almost” OAuth ✗ (nonce, timestamp, token) can be reused across requests. 3.2. Verifying Requests Servers receiving an authenticated request MUST validate it by: (...) o If using the "HMAC-SHA1" or "RSA-SHA1" signature methods, ensuring that the combination of nonce/timestamp/token (if present) received from the client has not been used before in a previous request (the server MAY reject requests with stale timestamps as described in Section 3.3). 3.3. Nonce and Timestamp ✗ nonce can be fixed. (...) A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations. http://tools.ietf.org/html/rfc5849