Attacks/Breaches
8/21/2013
01:56 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Hacker Leaks 15,000 Twitter Access Credentials, Promises More

Twitter users should revoke and reassign access for all third-party Twitter apps to mitigate vulnerability, security expert urges.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Twitter users: Revoke and reestablish access rights for all third-party apps tied to your Twitter account.

That's the advice being offered after a hacker hailing from Mauritania leaked what he said were access credentials for 15,167 Twitter users. The information was uploaded Tuesday to the Zippyshare website by "Mauritania Attacker" in the form of a 3.7-MB "twitter-accounts.txt" file that includes shout-outs to AnonGhost, a collective he founded that specializes in website defacements, as well as to Anonymous.

Is the Twitter leak just a teaser? Mauritania Attacker told Techworm that he'd compromised what the publication reported was the "entire database of users on Twitter," saying "no account is safe." The hacker also said he was weighing releasing all of the stolen information in the future.

The Twitter information leaked to date doesn't include passwords, but it does include Twitter IDs and links to profile pictures, as well as OAuth tokens. First adopted by Twitter in 2010, OAuth allows developers to create applications that can directly access Twitter without always having to ask for a user's password.

The risk now is that an attacker could use the corresponding user IDs and OAuth tokens to enjoy password-free access to those users' accounts. Mauritania Attacker, for example, noted in his Zippyshare upload that people could "use TamperData and connect directly to any account with the auth_token." That refers to Tamper Data, a well-reviewed Firefox plug-in the developer bills as a way "to view and modify HTTP/HTTPS headers and post parameters." The plug-in was designed as an HTTP response and request trace and time-testing tool, as well as a way to test Web applications by allowing researchers to create arbitrary POST parameters. But in the hands of someone possessing valid Twitter OAuth tokens and their corresponding user IDs, the tool could be used to gain access to anyone's Twitter account.

[ Twitter has beefed up security, but two-factor authentication isn't enough. Read Twitter Two-Factor Authentication: Too Little, Too Late? ]

Twitter didn't immediately respond to an emailed request for comment about whether the leaked information was legitimate or posed a risk to users.

If the leaked data is genuine, however, fortunately there's an easy fix: Twitter users can revoke and then reauthorize access rights for all third-party apps, which will result in their current OAuth tokens being invalidated and new ones issued, according to security expert Alan Woodward, who teaches at the University of Surrey in England.

"Personally, I do regular housekeeping where I go into the Apps settings of Twitter and delete the third-party apps that have access," Woodward told GigaOm. "The reason is that at present Twitter OAuth tokens, once issued, do not expire. You have to manually revoke them ... and then just re-log in when/if you want to re-access Twitter via that app. This way a new token will be issued."

Woodward also noted that Mauritania Attacker had likely obtained the OAuth tokens after hacking into a third-party service rather than by hacking into Twitter's authentication servers.

This isn't Mauritania Attacker's first hack attack. Earlier this year, the self-described twenty-something, non-extremist Muslim -- claimed to possess "all governments emails of USA" and published a teaser, which included both microsoft.com and cia.gov addresses, although no passwords. The promised full disclosure of all of those emails as part of OpUSA, however, never came to pass.

Even if Mauritania Attacker's new Twitter data dump -- aka dox -- is legitimate, it would be far from the first time that someone identified ways in which OAuth vulnerabilities could be exploited to hack into an online service. Several weeks ago, for example, security researcher Kelker Ryan said he'd attempted to warn Twitter that its implementation of OAuth 2 was vulnerable. "I contacted Twitter months ago stating that I had their private keys and that I would like to help them fix it," he said in a post to Coderwall. "Almost four months later, I have yet to [receive] a response after contacting them multiple times."

Likewise, Twitter isn't the only site to have faced OAuth-related vulnerabilities. For example, in May information security researcher Nir Goldshlager, CEO of Break Security, demonstrated how he'd used OAuth vulnerabilities to hack into Instagram accounts. He noted that Facebook, which had recently acquired Instagram, offered to pay him a bug bounty for his efforts, although he declined.

Just one month prior, Goldshlager detailed an attack technique that could be used to steal people's Facebook access tokens via OAuth, owing to a site redirection vulnerability in third-party Facebook apps such as Skype and Dropbox. "If the owner app domain has a site redirection, the attacker will then be able to steal the victim's access_token through the use of Facebook OAuth," Goldshlager reported.

Less than 24 hours after Goldshlager published the vulnerability details and a proof-of-concept attack, both Skype -- which is owned by Microsoft -- and Dropbox reported that they'd fixed the identified vulnerabilities.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
8/22/2013 | 11:38:02 PM
re: Hacker Leaks 15,000 Twitter Access Credentials, Promises More
A mischief maker outdid himself with this one. What a pain for many people.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/21/2013 | 7:08:07 PM
re: Hacker Leaks 15,000 Twitter Access Credentials, Promises More
"Twitter users can revoke and then reauthorize access rights for all third-party apps..."

Thanks--just did this and it was not a hassle. But the fact that this stuff keeps happening is truly annoying.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web