Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Hacker Leaks 15,000 Twitter Access Credentials, Promises More

Twitter users should revoke and reassign access for all third-party Twitter apps to mitigate vulnerability, security expert urges.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Twitter users: Revoke and reestablish access rights for all third-party apps tied to your Twitter account.

That's the advice being offered after a hacker hailing from Mauritania leaked what he said were access credentials for 15,167 Twitter users. The information was uploaded Tuesday to the Zippyshare website by "Mauritania Attacker" in the form of a 3.7-MB "twitter-accounts.txt" file that includes shout-outs to AnonGhost, a collective he founded that specializes in website defacements, as well as to Anonymous.

Is the Twitter leak just a teaser? Mauritania Attacker told Techworm that he'd compromised what the publication reported was the "entire database of users on Twitter," saying "no account is safe." The hacker also said he was weighing releasing all of the stolen information in the future.

The Twitter information leaked to date doesn't include passwords, but it does include Twitter IDs and links to profile pictures, as well as OAuth tokens. First adopted by Twitter in 2010, OAuth allows developers to create applications that can directly access Twitter without always having to ask for a user's password.

The risk now is that an attacker could use the corresponding user IDs and OAuth tokens to enjoy password-free access to those users' accounts. Mauritania Attacker, for example, noted in his Zippyshare upload that people could "use TamperData and connect directly to any account with the auth_token." That refers to Tamper Data, a well-reviewed Firefox plug-in the developer bills as a way "to view and modify HTTP/HTTPS headers and post parameters." The plug-in was designed as an HTTP response and request trace and time-testing tool, as well as a way to test Web applications by allowing researchers to create arbitrary POST parameters. But in the hands of someone possessing valid Twitter OAuth tokens and their corresponding user IDs, the tool could be used to gain access to anyone's Twitter account.

[ Twitter has beefed up security, but two-factor authentication isn't enough. Read Twitter Two-Factor Authentication: Too Little, Too Late? ]

Twitter didn't immediately respond to an emailed request for comment about whether the leaked information was legitimate or posed a risk to users.

If the leaked data is genuine, however, fortunately there's an easy fix: Twitter users can revoke and then reauthorize access rights for all third-party apps, which will result in their current OAuth tokens being invalidated and new ones issued, according to security expert Alan Woodward, who teaches at the University of Surrey in England.

"Personally, I do regular housekeeping where I go into the Apps settings of Twitter and delete the third-party apps that have access," Woodward told GigaOm. "The reason is that at present Twitter OAuth tokens, once issued, do not expire. You have to manually revoke them ... and then just re-log in when/if you want to re-access Twitter via that app. This way a new token will be issued."

Woodward also noted that Mauritania Attacker had likely obtained the OAuth tokens after hacking into a third-party service rather than by hacking into Twitter's authentication servers.

This isn't Mauritania Attacker's first hack attack. Earlier this year, the self-described twenty-something, non-extremist Muslim -- claimed to possess "all governments emails of USA" and published a teaser, which included both microsoft.com and cia.gov addresses, although no passwords. The promised full disclosure of all of those emails as part of OpUSA, however, never came to pass.

Even if Mauritania Attacker's new Twitter data dump -- aka dox -- is legitimate, it would be far from the first time that someone identified ways in which OAuth vulnerabilities could be exploited to hack into an online service. Several weeks ago, for example, security researcher Kelker Ryan said he'd attempted to warn Twitter that its implementation of OAuth 2 was vulnerable. "I contacted Twitter months ago stating that I had their private keys and that I would like to help them fix it," he said in a post to Coderwall. "Almost four months later, I have yet to [receive] a response after contacting them multiple times."

Likewise, Twitter isn't the only site to have faced OAuth-related vulnerabilities. For example, in May information security researcher Nir Goldshlager, CEO of Break Security, demonstrated how he'd used OAuth vulnerabilities to hack into Instagram accounts. He noted that Facebook, which had recently acquired Instagram, offered to pay him a bug bounty for his efforts, although he declined.

Just one month prior, Goldshlager detailed an attack technique that could be used to steal people's Facebook access tokens via OAuth, owing to a site redirection vulnerability in third-party Facebook apps such as Skype and Dropbox. "If the owner app domain has a site redirection, the attacker will then be able to steal the victim's access_token through the use of Facebook OAuth," Goldshlager reported.

Less than 24 hours after Goldshlager published the vulnerability details and a proof-of-concept attack, both Skype -- which is owned by Microsoft -- and Dropbox reported that they'd fixed the identified vulnerabilities.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
8/22/2013 | 11:38:02 PM
re: Hacker Leaks 15,000 Twitter Access Credentials, Promises More
A mischief maker outdid himself with this one. What a pain for many people.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/21/2013 | 7:08:07 PM
re: Hacker Leaks 15,000 Twitter Access Credentials, Promises More
"Twitter users can revoke and then reauthorize access rights for all third-party apps..."

Thanks--just did this and it was not a hassle. But the fact that this stuff keeps happening is truly annoying.
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.