13
01
2009
Twitter JSON Hijacking Updates
Posted by: Giorgio in AJAX, CSRF, Mozilla, Security, NoScriptLooks like my follow up to Gareth Heyes' Twitter Hack produced two effects:
- Twitter guys closed their hole by requiring an additional basic HTTP authentication step to retrieve the friends timeline JSON feed. Well done, albeit still lacking as an anti-CSRF countermeasure, because if user already performed basic authentication for any reason during this session, the hack still works flawlessly (not sure about how likely this is, though).
- Some readers complained about me slightly criticizing Adblock Plus' new 3rd party blocking, by calling it "rather inconvenient" (especially if compared with the new NoScript 1.8.8.95's anti-hijacking protection which doesn't require any script blocking), although I was actually praising the famous ad blocker as a countermeasure against this attack.
Yesterday evening, when I wrote that post, I was overly tired from a very stressful week, so I fell in the trap of suggesting to use Adblock Plus for a security purpose. After some sleep, a bit more in my mind, I recalled why I always recommend Adblock Plus as a wonderful annoyance blocker, but not to be relied upon for security: there are too many easy ways to circumvent it.
More in general, Adblock Plus and FlashBlock, despite a popular superstition, can’t be considered security tools because they’re not conceived nor developed with the necessarydefensive and proactiveparanoid mindset.
I updated my PoC to reflect both these events.
Now it "hijacks" Twitter's public listings feed which, as the adjective "public" suggests, has no reason to be protected.
And this time Adblock Plus' 3rd party blocking won't help :)
Are you logged in Twitter?
January 13th, 2009 at 12:50 pm
[...] SSL in Perspectives Twitter JSON Hijacking Updates 13 01 [...]
January 14th, 2009 at 12:02 am
Hehe... Your little game with Wladimir is excellent. Now, Wladimir HAS TO answer with a criticism against NoScript or ABE. :-)
February 17th, 2009 at 6:32 pm
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved a vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
February 17th, 2009 at 10:16 pm
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved a vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
February 18th, 2009 at 9:05 am
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved a vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
February 18th, 2009 at 11:43 am
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved a vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
March 19th, 2009 at 2:25 pm
Great tool. I think the symbols are backwards and the blocked sites should have the (no-sign) symbol, not the reverse. I don't know if there's an option, (but without a little legend of the symbol meaning) people would not know from one PC to another. Just a suggestion, and many thanks for your constant non-stop work on the program which can irritate, is very much needed in a time where kids and older people that should know better prey on the unknowing.
April 13th, 2009 at 2:28 pm
[...] after several other security issues, including “exotic” ones like Clickjacking or JSON hijacking, Twitter is in serious troubles again, this time with a XSS worm which quickly managed to infect [...]
May 17th, 2009 at 5:41 pm
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A current example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
May 18th, 2009 at 5:35 pm
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
December 18th, 2009 at 6:21 am
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
December 19th, 2009 at 5:20 am
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
December 29th, 2009 at 1:45 pm
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
December 31st, 2009 at 7:54 pm
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
January 22nd, 2010 at 6:12 am
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
January 25th, 2010 at 6:32 pm
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
February 16th, 2010 at 8:19 pm
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]
February 18th, 2010 at 4:03 am
[...] In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems’ lack of visual feedback make this attack less apparent. A recent example of a CSRF involved vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors. [...]