Looks like my follow up to Gareth Heyes' Twitter Hack produced two effects:
- Twitter guys closed their hole by requiring an additional basic HTTP authentication step to retrieve the friends timeline JSON feed. Well done, albeit still lacking as an anti-CSRF countermeasure, because if user already performed basic authentication for any reason during this session, the hack still works flawlessly (not sure about how likely this is, though).
- Some readers complained about me slightly criticizing Adblock Plus' new 3rd party blocking, by calling it "rather inconvenient" (especially if compared with the new NoScript 18.104.22.168's anti-hijacking protection which doesn't require any script blocking), although I was actually praising the famous ad blocker as a countermeasure against this attack.
Yesterday evening, when I wrote that post, I was overly tired from a very stressful week, so I fell in the trap of suggesting to use Adblock Plus for a security purpose. After some sleep, a bit more in my mind, I recalled why I always recommend Adblock Plus as a wonderful annoyance blocker, but not to be relied upon for security: there are too many easy ways to circumvent it.
More in general, Adblock Plus and FlashBlock, despite a popular superstition, canâ€™t be considered security tools because theyâ€™re not conceived nor developed with the necessary
defensive and proactiveparanoid mindset.
I updated my PoC to reflect both these events.
Now it "hijacks" Twitter's public listings feed which, as the adjective "public" suggests, has no reason to be protected.
And this time Adblock Plus' 3rd party blocking won't help :)