Twitter.com passwords compromised?

December 18, 2009

Here’s an article on CNET about last night’s Twitter hacking. Apparently Twitter’s DNS “was compromised”. CNET states that it is “unlikely that [any Twitter] accounts were compromised”. I don’t have many details for this attack, but if it’s a DNS takeover, I question that assertion.

Some Twitter clients are vulnerable to DNS attacks

The Twitter blog implies that the name twitter.com was taken over. There are two scenarios under which a Twitter client will provide its user’s password to an attacker who has pointed the name ‘twitter.com’ to his machine.

The first is that the client uses “http basic auth” unencrypted with the HTTP protocol instead of HTTPS. If that’s the case, the client will always unrestrictedly give the username and password to whatever host is at twitter.com, and in this process it performs no verification of the host’s authenticity.

The second scenario is that the client uses HTTPS, but fails to also require and examine a trusted certificate of authenticity from the target host as part of the protocol. If the last part is skipped, though the HTTPS request will be encrypted for transit, the client has not verified the authenticity of twitter.com. Unfortunately, this certificate handling part can be sometimes tricky for developers to get right.

Originally, Twitter had no support for HTTPS, and the Twitter REST API to this day permits dumb HTTP basic authentication. Twitter’s own programming examples still show the URL “http://twitter.com/…”. So this, coupled with error-prone HTTPS certificate implementations in clients makes me expect there to be more than a few Twitter clients vulnerable to DNS attacks. Some may reveal your password to the first “twitter.com” that comes along.

Thus, if there was a DNS takeover of twitter.com, passwords were potentially compromised.

Without more detail from Twitter or the hackers, however, we don’t really know what’s happened. It could be that hackers didn’t actually get the DNS name “twitter.com”. It could be that all the vunerable Twitter clients happened to be off during the time of the attack. It could be that the attackers didn’t think to log the incoming http requests containing passwords and only wanted to add their greetings page and email address to twitter.com.

Comments welcome.

DNS takeover, 1998

December 18, 2009

Jon Postel, researcher and original DNS registrar, temporarily takes back two thirds of the internet naming authority from the U.S. government with a single email:

Date: Wed, 28 Jan 1998 17:04:11 -0800
From: postel@ISI.EDU
Subject: root zone secondary service
Cc: postel@ISI.EDU, iana@ISI.EDU

The following messages is pgp signed by “iana “.

—–BEGIN PGP SIGNED MESSAGE—–

====================================
====================================

Hello.

As the Internet develops there are transitions in the management
arrangements.
The time has come to take a small step in one of those
transitions. At some point on down the road it will be appropriate for
the root domain to be edited and published directly by the IANA.

As a small step in this direction we would like to have the
secondaries for the root domain pull the root zone (by zone transfer)
directly from IANA’s own name server.

This is “DNSROOT.IANA.ORG” with address 198.32.1.98.

The data in this root zone will be an exact copy of the root zone
currently available on the A.ROOT-SERVERS.NET machine. There is no
change being made at this time in the policies or procedures for
making changes to the root zone.

This applies to the root zone only. If you provide secomdary service
for any other zones, including TLD zones, you should continue to
obtain those zones in the way and from the sources you have been.

– –jon.

Jon Postel
Internet Assigned Numbers Authority
c/o USC – ISI, Suite 1001
4676 Admiralty Way
Marina del Rey, CA 90292-6695

Talk: +1-310-822-1511
Fax: +1-310-823-6714
EMail: IANA@ISI.EDU

====================================
====================================

—–BEGIN PGP SIGNATURE—–
Version: 2.6.2

iQCVAwUBNM/OggXEg/2i5jY1AQFOSgQAmFKo34Ytxi+8R78qG7/2BUP3KdWqH2Aj
zufrv5sYkfQDNeW+02JA5LZT6ZW5AgRgTDJpQkZlKKvBfzD52GCsDpgt1yUdxxUJ
3VfmK48AIEV9LVKAwlDmOqia++cp1nA8Jd7en35HnKAuFVFEKN0fYEq8FHXEAuOJ
TXXrSiVyCHE=
=qZXq
—–END PGP SIGNATURE—-

SOURCE: http://www.rfc-editor.org/pipermail/internet-history/2002-November/000376.html

All but the U.S. government secondary name servers agreed to switch.

On naming and knowing

December 18, 2009

I guess I’ll start over here at setting up some keys for the new year:

tag:masonlee.org,2010:
tag:telephonographic.net,2010:
tag:borange.com,2010:
tag:textie.me,2010:

This is RFC4151, The “tag” URI Scheme”