June 14, 2021

Twitter flaw allowed third party apps to access direct messages

twitter-bird-white-on-blue(LiveHacking.Com) – There are lots of web sites that offer sign in via Twitter or offer the ability to interact with Twitter on your behalf. When such third party apps require access to Twitter, you need to explicitly grant permission via Twitter itself. Normally such web sites don’t have access to your direct message but rather are limited to accessing what is already public (i.e. your tweets). However a bug was recently discovered that allowed third party web apps to access a user’s direct messages without the user’s knowledge or permission.

Cesar Cerrudo of IOActive Labs Research, has detailed how he discovered the unauthorized access in a blog post. While testing a web application that had an option to sign into Twitter, Cesar discovered that the web app had been secretly granted permission to access his direct messages. It appears that this happened when he signed in with Twitter for a second or third time. The first go around the app only had access to his public data. Later, however, when he signed in again, via Twitter, the app had somehow obtained access to his direct messages.

“My surprise didn’t end here. I went to https://twitter.com/settings/applications to check the application settings. The page said ‘Permissions: read, write, and direct messages’. I couldn’t understand how this was possible, since I had never authorized the application to access my ‘private’ direct messages. I realized that this was a huge security hole.”

Cerrudo reported the vulnerability to Twitter. Its security team quickly resolved the issue and a fix was up within 24 hours. The only unknown at the moment is for how long the bug exposed user’s private messages. The vulnerability was fixed on January 17, 2013, without a security advisory from Twitter.

It is worth periodically checking the https://twitter.com/settings/applications page to verify what apps are allowed to do with your Twitter account.

In brief: Unknown number of Twitter users told to reset passwords

(LiveHacking.Com) – An unknown number of Twitter users have been sent genuine emails from the microblogging company telling them that their account has been hacked. Users who receive these emails need to reset their passwords as soon as possible.

The email reads, “Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.”

However it also appears that although some accounts have been compromised, Twitter got a bit over zealous in sending the notifications and some users have received the emails unintentionally. However there is evidence of incidents involving several high-profile Twitter accounts, including at least one belonging to the BBC.

“When we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users,” wrote a Twitter representative in a statement released by the company. “In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologise for any inconvenience or confusion this may have caused.”

The cause or extent of any hacking is still unknown and the only anecdotal evidence of anything wrong is coming from those who have seen tweets deleted. Comedian David Mitchell tweeted that he had received the email, and that “but the only evidence of hacking I can find is that my tweet about my Observer column last Sun has disappeared. Weird.”

How Apple helped attacker hack Gizmodo’s Twitter account

(LiveHacking.com) — Over the weekend, a hacking group know has Clan VV3 gained control of Gizmodo’s Twitter account and sent offensive messages to Gizmodo’s 415,000 followers. The hacking of such a high profile Twitter account is a serious thing, but what is even more startling is the way that the hackers did it.

It all starts with Mat Honan, a former Gizmodo employee. The hackers managed to breached Mat’s iCloud account by using some clever social engineering that let them bypass Apple’s security questions. Once they had tricked Apple, the hackers proceeded to reset all of Mat’s accounts and devices. They sent remote wipe commands to Mat’s iPhone, iPad and MacBook.

The backup email address to Mat’s Gmail account was the .mac email address which had just been hacked. The hackers used this to issue a password recovery email to that address and subsequently took over his Gmail. A few minutes after that, they took over his Twitter account. And because Mat had linked his Twitter to Gizmodo’s account, the hackers were then able to gain entry to that as well.

Mat has confirmed with AppleCare how the hacker was able to get control of his accounts and Mat is planning to publish all the details on Wired (his current employer). However he has emailed Tim Cook and Apple PR to give them a chance to comment. Although there has been no response from Tim Cook, Mat did get an urgent call from AppleCare ten minutes after sending the emails, informing him that the situation had been escalated.

What can be learned from this sorry story is that social engineering still remains a powerful and effective means used by hackers to breach security. In this case it seems that Apple are to blame and since everything was linked (some how) to Mat’s iCloud account, the hacker was able to take control of Mat’s Gmail, Mat’s Twitter account and of course Gizmodo’s Twitter account.

Whisper Systems Bought by Twitter

(LiveHacking.Com) – Whisper Systems, a mobile device security and privacy company, has been bought by Twitter. The company, which specialises in security for Android devices, announced that during to the transition it is taking all of its products and services offline.

However they assure their fans that the products will live on (under a Twitter brand??) and that they have some surprises in store once the transition is complete.

The question is, what do Twitter want with an Android security company. Twitter is available on a multitude of platforms and not just Android.

One interesting possibility is that Whisper System developed a product called RedPhone, which provides end-to-end encryption for phone calls. Could it be that Twitter want to joing the likes of Skype, Google and Yahoo in providing a VoIP service?

New Phishing Attack Spread by Twitter Direct Message

(LiveHacking.Com) — A new phishing attack has appeared on the Twitter network using Direct Messages (DM) to deceive people into following a link to a fake Twitter login page.

The messages sent from other Twitter users, lure victims by asking if it is them who is pictured in a photo, video or mentioned in a blog post.

Various versions of the bait messages include:

is this you in the video?
is this you in this picture?
check this out… it’s a funny blog post. you’re mentioned in it.

Clicking on the included link takes you to what appears, at first glance, to be the Twitter login page but is in fact hosted on a domain with a similar spelling to Twitter but isn’t associated with Twitter at all.

If you take the bait and enter your username and password on the page you have probably given your login credentials to hackers.

Del Harvey (@delbius) who runs Twitter’s Safety team, says that Twitter is resetting the passwords of users who it believes have been hit by the phishing attack: We’re resetting passwords for affected users; here’s the help page to check out about what you should do. https://support.twitter.com/articles/31796-my-account-has-been-compromised.

Google and Twitter Improve SSL Support

Google and Twitter have independently announced that they are improving their support for secure encrypted connections (with SSL and HTTPS) when using their respective services.

Google announced on its official Google Code blog that it will be improving the security of Google APIs with SSL, while Twitter, the micro-blogging service has added a new setting that allows users to always use HTTPS when accessing all pages on twitter.com, not just during log-in.

Google has already changed many of its user-facing services to either allow or require the use of HTTPS including Google web searchGmail and Google Docs. Next Google want to improve SSL support for its developer-facing APIs. Most of Google’s APIs already use SSL and beginning September 15, 2011, Google will require that all users of Google Documents List APIGoogle Spreadsheets API, and Google Sites API use SSL connections for all API requests.

With tools available like Firesheep, which make it easy to steal passwords for social networking sites when the victim is using an insecure wireless network, Twitter are emphasising the importance of using HTTPS. Twitter over SSL has been available for some time at https://twitter.com. But it has made it simpler for users to use it all the time by adding an option to the settings page.

To turn on HTTPS, go to your settings and check the box next to “Always use HTTPS,” which is at the bottom of the page.

OnMouseOver XSS plagues Twitter

A new wave of Twitter attacks which make use of an XSS vulnerability in Twitter’s web client is causing trouble for users of the micro-blogging service. The injected script code is able to read the user’s Twitter cookie and authentication data. First assessments indicate that the vulnerability can be used to create a worm that spreads automatically.

Read the full story here.