Hacker Leaks 15,000 Twitter Access Credentials, Promises MoreTwitter users should revoke and reassign access for all third-party Twitter apps to mitigate vulnerability, security expert urges.
9 Android Apps To Improve Security, Privacy (click image for larger view)
Twitter users: Revoke and reestablish access rights for all third-party apps tied to your Twitter account.
That's the advice being offered after a hacker hailing from Mauritania leaked what he said were access credentials for 15,167 Twitter users. The information was uploaded Tuesday to the Zippyshare website by "Mauritania Attacker" in the form of a 3.7-MB "twitter-accounts.txt" file that includes shout-outs to AnonGhost, a collective he founded that specializes in website defacements, as well as to Anonymous.
Is the Twitter leak just a teaser? Mauritania Attacker told Techworm that he'd compromised what the publication reported was the "entire database of users on Twitter," saying "no account is safe." The hacker also said he was weighing releasing all of the stolen information in the future.
The Twitter information leaked to date doesn't include passwords, but it does include Twitter IDs and links to profile pictures, as well as OAuth tokens. First adopted by Twitter in 2010, OAuth allows developers to create applications that can directly access Twitter without always having to ask for a user's password.
The risk now is that an attacker could use the corresponding user IDs and OAuth tokens to enjoy password-free access to those users' accounts. Mauritania Attacker, for example, noted in his Zippyshare upload that people could "use TamperData and connect directly to any account with the auth_token." That refers to Tamper Data, a well-reviewed Firefox plug-in the developer bills as a way "to view and modify HTTP/HTTPS headers and post parameters." The plug-in was designed as an HTTP response and request trace and time-testing tool, as well as a way to test Web applications by allowing researchers to create arbitrary POST parameters. But in the hands of someone possessing valid Twitter OAuth tokens and their corresponding user IDs, the tool could be used to gain access to anyone's Twitter account.
[ Twitter has beefed up security, but two-factor authentication isn't enough. Read Twitter Two-Factor Authentication: Too Little, Too Late? ]
Twitter didn't immediately respond to an emailed request for comment about whether the leaked information was legitimate or posed a risk to users.
If the leaked data is genuine, however, fortunately there's an easy fix: Twitter users can revoke and then reauthorize access rights for all third-party apps, which will result in their current OAuth tokens being invalidated and new ones issued, according to security expert Alan Woodward, who teaches at the University of Surrey in England.
"Personally, I do regular housekeeping where I go into the Apps settings of Twitter and delete the third-party apps that have access," Woodward told GigaOm. "The reason is that at present Twitter OAuth tokens, once issued, do not expire. You have to manually revoke them ... and then just re-log in when/if you want to re-access Twitter via that app. This way a new token will be issued."
Woodward also noted that Mauritania Attacker had likely obtained the OAuth tokens after hacking into a third-party service rather than by hacking into Twitter's authentication servers.
This isn't Mauritania Attacker's first hack attack. Earlier this year, the self-described twenty-something, non-extremist Muslim -- claimed to possess "all governments emails of USA" and published a teaser, which included both microsoft.com and cia.gov addresses, although no passwords. The promised full disclosure of all of those emails as part of OpUSA, however, never came to pass.
Even if Mauritania Attacker's new Twitter data dump -- aka dox -- is legitimate, it would be far from the first time that someone identified ways in which OAuth vulnerabilities could be exploited to hack into an online service. Several weeks ago, for example, security researcher Kelker Ryan said he'd attempted to warn Twitter that its implementation of OAuth 2 was vulnerable. "I contacted Twitter months ago stating that I had their private keys and that I would like to help them fix it," he said in a post to Coderwall. "Almost four months later, I have yet to [receive] a response after contacting them multiple times."
Likewise, Twitter isn't the only site to have faced OAuth-related vulnerabilities. For example, in May information security researcher Nir Goldshlager, CEO of Break Security, demonstrated how he'd used OAuth vulnerabilities to hack into Instagram accounts. He noted that Facebook, which had recently acquired Instagram, offered to pay him a bug bounty for his efforts, although he declined.
Just one month prior, Goldshlager detailed an attack technique that could be used to steal people's Facebook access tokens via OAuth, owing to a site redirection vulnerability in third-party Facebook apps such as Skype and Dropbox. "If the owner app domain has a site redirection, the attacker will then be able to steal the victim's access_token through the use of Facebook OAuth," Goldshlager reported.
Less than 24 hours after Goldshlager published the vulnerability details and a proof-of-concept attack, both Skype -- which is owned by Microsoft -- and Dropbox reported that they'd fixed the identified vulnerabilities.