Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Hacker Leaks 15,000 Twitter Access Credentials, Promises More

Twitter users should revoke and reassign access for all third-party Twitter apps to mitigate vulnerability, security expert urges.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Twitter users: Revoke and reestablish access rights for all third-party apps tied to your Twitter account.

That's the advice being offered after a hacker hailing from Mauritania leaked what he said were access credentials for 15,167 Twitter users. The information was uploaded Tuesday to the Zippyshare website by "Mauritania Attacker" in the form of a 3.7-MB "twitter-accounts.txt" file that includes shout-outs to AnonGhost, a collective he founded that specializes in website defacements, as well as to Anonymous.

Is the Twitter leak just a teaser? Mauritania Attacker told Techworm that he'd compromised what the publication reported was the "entire database of users on Twitter," saying "no account is safe." The hacker also said he was weighing releasing all of the stolen information in the future.

The Twitter information leaked to date doesn't include passwords, but it does include Twitter IDs and links to profile pictures, as well as OAuth tokens. First adopted by Twitter in 2010, OAuth allows developers to create applications that can directly access Twitter without always having to ask for a user's password.

The risk now is that an attacker could use the corresponding user IDs and OAuth tokens to enjoy password-free access to those users' accounts. Mauritania Attacker, for example, noted in his Zippyshare upload that people could "use TamperData and connect directly to any account with the auth_token." That refers to Tamper Data, a well-reviewed Firefox plug-in the developer bills as a way "to view and modify HTTP/HTTPS headers and post parameters." The plug-in was designed as an HTTP response and request trace and time-testing tool, as well as a way to test Web applications by allowing researchers to create arbitrary POST parameters. But in the hands of someone possessing valid Twitter OAuth tokens and their corresponding user IDs, the tool could be used to gain access to anyone's Twitter account.

[ Twitter has beefed up security, but two-factor authentication isn't enough. Read Twitter Two-Factor Authentication: Too Little, Too Late? ]

Twitter didn't immediately respond to an emailed request for comment about whether the leaked information was legitimate or posed a risk to users.

If the leaked data is genuine, however, fortunately there's an easy fix: Twitter users can revoke and then reauthorize access rights for all third-party apps, which will result in their current OAuth tokens being invalidated and new ones issued, according to security expert Alan Woodward, who teaches at the University of Surrey in England.

"Personally, I do regular housekeeping where I go into the Apps settings of Twitter and delete the third-party apps that have access," Woodward told GigaOm. "The reason is that at present Twitter OAuth tokens, once issued, do not expire. You have to manually revoke them ... and then just re-log in when/if you want to re-access Twitter via that app. This way a new token will be issued."

Woodward also noted that Mauritania Attacker had likely obtained the OAuth tokens after hacking into a third-party service rather than by hacking into Twitter's authentication servers.

This isn't Mauritania Attacker's first hack attack. Earlier this year, the self-described twenty-something, non-extremist Muslim -- claimed to possess "all governments emails of USA" and published a teaser, which included both microsoft.com and cia.gov addresses, although no passwords. The promised full disclosure of all of those emails as part of OpUSA, however, never came to pass.

Even if Mauritania Attacker's new Twitter data dump -- aka dox -- is legitimate, it would be far from the first time that someone identified ways in which OAuth vulnerabilities could be exploited to hack into an online service. Several weeks ago, for example, security researcher Kelker Ryan said he'd attempted to warn Twitter that its implementation of OAuth 2 was vulnerable. "I contacted Twitter months ago stating that I had their private keys and that I would like to help them fix it," he said in a post to Coderwall. "Almost four months later, I have yet to [receive] a response after contacting them multiple times."

Likewise, Twitter isn't the only site to have faced OAuth-related vulnerabilities. For example, in May information security researcher Nir Goldshlager, CEO of Break Security, demonstrated how he'd used OAuth vulnerabilities to hack into Instagram accounts. He noted that Facebook, which had recently acquired Instagram, offered to pay him a bug bounty for his efforts, although he declined.

Just one month prior, Goldshlager detailed an attack technique that could be used to steal people's Facebook access tokens via OAuth, owing to a site redirection vulnerability in third-party Facebook apps such as Skype and Dropbox. "If the owner app domain has a site redirection, the attacker will then be able to steal the victim's access_token through the use of Facebook OAuth," Goldshlager reported.

Less than 24 hours after Goldshlager published the vulnerability details and a proof-of-concept attack, both Skype -- which is owned by Microsoft -- and Dropbox reported that they'd fixed the identified vulnerabilities.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
8/22/2013 | 11:38:02 PM
re: Hacker Leaks 15,000 Twitter Access Credentials, Promises More
A mischief maker outdid himself with this one. What a pain for many people.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/21/2013 | 7:08:07 PM
re: Hacker Leaks 15,000 Twitter Access Credentials, Promises More
"Twitter users can revoke and then reauthorize access rights for all third-party apps..."

Thanks--just did this and it was not a hassle. But the fact that this stuff keeps happening is truly annoying.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17454
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
CVE-2020-24421
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.
CVE-2020-17355
PUBLISHED: 2020-10-21
Arista EOS before 4.21.12M, 4.22.x before 4.22.7M, 4.23.x before 4.23.5M, and 4.24.x before 4.24.2F allows remote attackers to cause a denial of service (restart of agents) by crafting a malformed DHCP packet which leads to an incorrect route being installed.
CVE-2020-24425
PUBLISHED: 2020-10-21
Dreamweaver version 20.2 (and earlier) is affected by an uncontrolled search path element vulnerability that could lead to privilege escalation. Successful exploitation could result in a local user with permissions to write to the file system running system commands with administrator privileges.
CVE-2020-27615
PUBLISHED: 2020-10-21
The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.