Twitter.com passwords compromised?

Here’s an article on CNET about last night’s Twitter hacking. Apparently Twitter’s DNS “was compromised”. CNET states that it is “unlikely that [any Twitter] accounts were compromised”. I don’t have many details for this attack, but if it’s a DNS takeover, I question that assertion.

Some Twitter clients are vulnerable to DNS attacks

The Twitter blog implies that the name twitter.com was taken over. There are two scenarios under which a Twitter client will provide its user’s password to an attacker who has pointed the name ‘twitter.com’ to his machine.

The first is that the client uses “http basic auth” unencrypted with the HTTP protocol instead of HTTPS. If that’s the case, the client will always unrestrictedly give the username and password to whatever host is at twitter.com, and in this process it performs no verification of the host’s authenticity.

The second scenario is that the client uses HTTPS, but fails to also require and examine a trusted certificate of authenticity from the target host as part of the protocol. If the last part is skipped, though the HTTPS request will be encrypted for transit, the client has not verified the authenticity of twitter.com. Unfortunately, this certificate handling part can be sometimes tricky for developers to get right.

Originally, Twitter had no support for HTTPS, and the Twitter REST API to this day permits dumb HTTP basic authentication. Twitter’s own programming examples still show the URL “http://twitter.com/…”. So this, coupled with error-prone HTTPS certificate implementations in clients makes me expect there to be more than a few Twitter clients vulnerable to DNS attacks. Some may reveal your password to the first “twitter.com” that comes along.

Thus, if there was a DNS takeover of twitter.com, passwords were potentially compromised.

Without more detail from Twitter or the hackers, however, we don’t really know what’s happened. It could be that hackers didn’t actually get the DNS name “twitter.com”. It could be that all the vunerable Twitter clients happened to be off during the time of the attack. It could be that the attackers didn’t think to log the incoming http requests containing passwords and only wanted to add their greetings page and email address to twitter.com.

Comments welcome.

One Response to “Twitter.com passwords compromised?”

  1. maht Says:

    The Twitter developer notes tell you to start by using HTTP auth in the clear

    http://apiwiki.twitter.com/Things-Every-Developer-Should-Know#8AcommandlineisallyouneedtousetheTwitterAPInbsp

    without telling you that it gets sent in the clear :

    Post a status update and get the resulting status back as JSON: curl -u username:password -d status=”your message here” http://twitter.com/statuses/update.json

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: