1. Abusing
Twitter API
Nicolas Seriot
Application Security Forum - 2012
Western Switzerland
7-8 novembre 2012
Y-Parc / Yverdon-les-Bains
https://www.appsec-forum.ch

3. Bio
• Cocoa developer
• HES Software Engineer
• MAS Eco. Crime Investigation
• Twitter user since July, 2008
• Father of a newborn

4. Agenda
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion

5. Tweets/day
now $8 billion valuation, 340M
top-10 most visited websites
140M
5000 1M 22 50 65
verified promo. Dick promo. no
accounts trending tweets Costolo tweets more
Twitter (celebrities) topics web CEO mobile RSS
launch
2006 2007 2008 2009 2010 2011 2012
Tweetie TweetDeck stricter ToS,
buyout buyout display guidelines
last OS X client update
v. 1.1
API
OAuth API v. 1.0
HTTP Basic Authentication

6. March 2013: Maximum Evilness
“We’re trying to limit certain use cases
that occupy the upper-right quadrant.”
https://dev.twitter.com/blog/changes-coming-to-twitter-api

7. • The author’s name and @username must be displayed to the right of the avatar.
• Reply, Retweet and Favorite Tweet actions must always be available.
• No other 3rd party actions similar to Follow, Reply, Retweet may be attached to a Tweet.
• The Twitter logo or Follow button for the Tweet author must always be displayed.
• The Tweet timestamp must always be linked to the Tweet permalink.
• A timeline must not be rendered with non-Twitter content. e.g. from other networks.
https://dev.twitter.com/terms/display-requirements

8. • Max. 100’000 users per Twitter client app.
• “Twitter discourages development in this area”
https://dev.twitter.com/terms/api-terms
"Developers ask us if they should build
client apps that mimic or reproduce
the mainstream Twitter consumer client
experience. The answer is no."
"We need to move to a less
fragmented world, where every user
can experience Twitter in a
consistent way."
https://groups.google.com/forum/#!
msg/twitter-development-talk/
yCzVnHqHIWo/sC34r_ZyMLYJ

9. Developers ♥ Stupid Rules!
"Twitter obviously wants to make money by advertising in the stream.
This will be impossible if all of the mechanisms aren't implemented to spec
within a client. They need full control of how the information is
presented, and do not have the bandwidth to micromanage ads with third
parties to prevent fraud, poor presentation, etc,"
http://www.theverge.com/2012/7/9/3135406/twitter-api-open-closed-
facebook-walled-garden

10. Breaking the Rules
• OAuth authentication for every API request
• "We reserve the right to revoke your app"
https://dev.twitter.com/terms/api-terms
• Can a rogue client spoof the identity of a
regular client and use the API as it wants?

11. Agenda
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion

12. http://hueniverse.com/2007/09/oauth-isnt-always-the-solution/

13. @nst021 bitly Twitter
“Use my account”
request_token
OAuth / Web
authorize
access_token
home_timeline green coin is
for bitly and
@nst021

14. @nst021 / iOS Twitter
OAuth / Desktop
request_token
authorize
access_token
home_timeline green coin is
for bitly and
@nst021

15. @nst021 / iOS Twitter
Authentication
request_secret request_token
PIN: 3 phases
request_key
consumer_secret
consumer_key authorize
verifier
access_secret access_token
access_key
home_timeline green coin is
for bitly and
@nst021

16. @nst021 / iOS Twitter
Authentication
xAuth: 1 phase
consumer_secret
consumer_key
access_secret access_token
access_key
username
home_timeline green coin is
password for bitly and
@nst021

17. Agenda
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion

18. /usr/bin/strings
$ strings /Applications/Twitter.app/
Contents/MacOS/Twitter
3rJOl1ODzm9yZy63FACdg
5jPo**************************************

19. Test the Tokens
#!/usr/bin/env python
import tweepy
CONSUMER_KEY = '3rJOl1ODzm9yZy63FACdg'
CONSUMER_SECRET = '5jPo**************************************'
auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)
auth_url = auth.get_authorization_url()
print "Please authorize:", auth_url
verifier = raw_input('PIN: ').strip()
auth.get_access_token(verifier)
print "ACCESS_KEY:", auth.access_token.key
print "ACCESS_SECRET:", auth.access_token.secret
demo

20. /usr/bin/gdb
$ gdb attach <PID of OS X accountsd>
(gdb) b -[OACredential consumerKey]
(gdb) finish
(gdb) po $rax
tXvOrlJDmLnTfiUqJ3Kuw
(gdb) b -[OACredential consumerSecret]
(gdb) finish
(gdb) po $rax
AWcB**************************************

21. /usr/bin/gdb
$ gdb attach <PID of iPhoneSimulator accountsd>
(gdb) b -[OACredential consumerKey]
(gdb) finish
(gdb) po (int*)$eax
WXZE9QillkIZpTANgLNT9g
(gdb) b -[OACredential consumerSecret]
(gdb) finish
(gdb) po (int*)$eax
Aau5**************************************
demo

22. Logging Freed Strings
$ sudo dtrace -n 'pid$target::free:entry {
printf("%s", arg0 != NULL ?
copyinstr(arg0) :
"<NULL>"); }' -p 10123

23. Objective-C Variant
@implementation NSString (XX)
+ (void)load {
Swizzle([NSString class],
@selector(dealloc),
@selector(my_dealloc));
}
- (void)my_dealloc {
NSLog(@"%@", self);
[self my_dealloc];
}
@end
(gdb) p (char)[[NSBundle bundleWithPath:
@"/Library/Frameworks/XX.framework"] load]

24. Other Techniques
• Memory dump
$ sudo ./gcore64 -c /tmp/dump.bin 4149
$ strings dump.bin | sort -u > /tmp/dump.txt
# key=consumerSecret&
$ egrep "[a-zA-Z0-9]{20}&$" /tmp/dump.txt
• Google…

25. Agenda
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion

26. OS X Twitter Credentials
Accounts.framework
@nst021
xxxxxx

27. can use OS X …or can use custom
consumer tokens… consumer tokens
STTwitterAPIWrapper
+ twitterAPIWith...
- getHomeTimeline
STTwitter
- postStatus
STTwitterOAuthProtocol
STTwitterOAuth
STOAuthOSX
STHTTPRequest
Accounts.framework
Social.framework

28. STTwitter
https://github.com/nst/STTwitter
demo from 55.750984, 37.617571

29. TwitHunter
https://github.com/nst/TwitHunter

30. Agenda
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion

31. 1. Taking OAuth from web to Desktop was a
conceptual error. Consumer tokens simply
just cannot be kept secret on the Desktop.
2. Twitter cannot realistically revoke keys from
popular clients, especially from OS X / iOS.
3. xAuth brings nothing more that HTTP Digest
Authentication, and sends password in the
request token phase.
4. OAuth cannot reliably identify the client, and
additionally puts the users at risk.
OAuth Session Fixation Attack Demo

33. 5. I have to conclude that the real grounds for
using OAuth is neither “security” nor spam
fighting but desire to control third-
party client applications to please big
media, consumers and advertisers.
6. Sadly for Twitter, ensuring that the requests
come from a certain client application is a
very hard problem, and I am not sure if it
can be solved.

34. Recap
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion

35. Twitter:
@nst021
Web:
http://seriot.ch/abusing_twitter_api.php
Slides:
http://www.slideshare.net/ASF-WS/presentations