Twitter “hacked” aka a nice example of CSRF

Share

Today marked an interesting day in Twitter history: a learning opportunity for the masses.  If you use Twitter, you probably saw one of your friends issue a tweet like the following:

Don’t Click: http://tinyurl.com/amgzs6

 

And, probably like many of the people out there, you clicked the link.  By the way, if you clicked the link above, good job.  You’re now one of the tens, possibly hundreds, of thousands of Twitter users that clicked that.

And then, you found out that your Twitter account got HACKED!  Even prolific blogger Dooce clicked, and subsequently decided her account had been compromised.  Her followup tweet was

My twitter account got hacked. That last tweet was a hack, not my doing. Apologies for any inconvenience.

“Inconvenience”?  Your inability to not click an unknown link resulted in all your readers’ accounts being exposed to this.

Here’s the thing, though: your account is fine.  It wasn’t compromised.  At least, not in the way you are thinking.  I’m sure you’re thinking someone broke in, posted as you, and took off.  Now they have your username, password, measurements, shoe size, and even the length of your… hair.  I was going to say hair.  I promise.

Well, you’re wrong.  They don’t.

What happened?  Well, you clicked the link.  Alright, let’s get technical.

You’re on Twitter.  In fact, you’ve probably logged in to Twitter, so your browser has an authenticated session.  If you don’t know what that means, it’s simply that your browser has a piece of information that identifies you as you.  That info allows you access to your account, your tweets, your friends, and so on.  When you clicked the “Don’t Click” link, something happened: you opened a web page.  That’s all you saw.  The web page, redirected via TinyURL.com, was http://www.umoor.eu/blog/yes-we-can.php.

Don’t worry, both the TinyURL and the yes-we-can.php pages have since been disabled.

Take page contained two thing of note: a button, which you could see, and an iframe, which you could not see.  The button was simple enough:

button {position: absolute;top: 10px;left: 10px;z-index: 1;width: 120px;}

It just sat there, looking bored.  The iframe was more interesting:

iframe {position: absolute;width: 550px;height: 228px;top: -170px;left: -400px;z-index: 2;opacity: 0;filter: alpha(opacity=0);}

The CSS, you’ll notice, sets a size and height, but positions it off to the side and makes it transparent.  You were not supposed to even know it’s there.  Now, source of the iframe is what matters.  Remember, it’s hidden, so you see none of this.

iframe src=”http://twitter.com/home?status=Don’t Click: http://tinyurl.com/amgzs6″ scrolling=”no”

Since Twitter allows you to set you status by tacking the status on to the “home” URL, the iframe made the same request.  Backing up, you were (probably) authenticated to Twitter, so there were no problems simply updating your status.  From there, your friends saw it, clicked the link, and their own status was updated.  And it cascaded.

How bad did it cascade?  Here is the Twitter search for just that URL.

So, did you account get “hacked”?  Not exactly.  The account was not compromised or broken into, but it did perform actions on your behalf without you knowing about it.  Do you need to run and change your password?  Not this time.  How about, instead, you find out where links go before you trust them.  Then again, if you’re an Obama supporter, anything with “yes-we-can” in it will probably get you.  By the way, if you take a TinyURL and put “preview” in it, you can see where it goes without going there.  So , http://tinyurl.com/amgzs6 becomes http://preview.tinyurl.com/amgzs6.

 

Now, I want you to think about something: in this case, you were exploited and inadvertently posted to Twitter.  What if, instead of posting to Twitter, the iframe had tried to transfer money from your bank account?

And, most importantly, what can you do about it?  Learn where links are going before you click, and download and use CSRFblocker, which will be available soon from the Hexagon Security think-tank.

Credit: @reverz and @nathanhamiel

Share

One thought on “Twitter “hacked” aka a nice example of CSRF

Leave a Reply

Your email address will not be published. Required fields are marked *