2009-01-29

TwitterFox Easy To Hack

Twitter is a very popular social networking site, which has already been in the news in the recent past for its inherent security weaknesses. If that wasn't enough, there also exists a security flaw in TwitterFox, which is a popular Firefox plugin that users use to quickly and conveniently send and receive messages from Twitter. At the time of me writing this article this plugin has been download over 1.1 million times, from addons.mozilla.org alone..!!

Unfortunately, TwitterFox is not too secure. Every time a user wishes to refresh his/her messages, the plugin sends the User ID and Password unencrypted to the server. The plugin only uses Basic Access Authentication Method, which as detailed below, is as good as communicating in plaintext.

Hence, if a hacker manages to capture the data-packet that is sent over by your browser to the Twitter's server, your credentials can easily be compromised. All the attacker needs to do is setup a sniffer on your network, which isn't too hard if you are on your office or college network, or do a simple MITM attack.

Now most of the users (like myself) use common passwords over multiple accounts. Hence, an attacker could even manage to gain access to much more than the user's Twitter account.

My advise - Stop using TwitterFox, at least till the time we have a more secure version of this plugin.


Here is the Proof of Concept for this vulnerability:

(1) At regular intervals (or when explicitly requested by the user), TwitterFox sends a request to the server for any new messages that this user may have received after the last sync

(2) This request contains the user's login credentials that are sent over using Basic Access Authentication Method. This protocol is NOT a security protocol and does not provide any security whatsoever. (For further reading check Wikipedia entry on Basic Access Authentication)


(3) There are a number of desktop and even web based tools available to convert this captured string, which is Base64 encoding, to plaintext. One of the web based tools is available here.

Labels: , ,

4 comments:

  1. naanJanuary 29, 2009 at 4:20:00 PM GMT+8

    TwitterFox uses SSL. Don't spread a false rumor.

    ReplyDelete
  2. vipul kaliaJanuary 29, 2009 at 7:34:00 PM GMT+8

    nice one

    ReplyDelete
  3. KunSehJanuary 29, 2009 at 9:54:00 PM GMT+8

    Kazuho,

    I hate to point a finger at your programme, even I am a big fan of your plugin and honestly want to see an improved & secure version of it.

    I have the screenshot in there of the packet that is being sent out. The plugin sends over the user-credentials using basic auth.

    ReplyDelete
  4. AnonymousJanuary 29, 2009 at 10:55:00 PM GMT+8

    Kunal / Kazuho
    Both of you are correct.

    As Kunal mentioned, user:passwd combo is being encoded in Base64 & then passed on the the server. But at the same time, this is being transferred over HTTPS as Kazuho clarifies

    The issue is if someone does MITM with a fake certificate, this might break like any other application.

    The question is if SSL fails, how does Twitterfox reacts?
    # Does it aborts the connection without passing the credentials ?
    # Does it ignore SSL warning and pass on the credentials?

    Cause in case of SSL failure, Twitterfox is not throwing a warning like browser or any other app.

    ReplyDelete

New comments are not allowed.

Subscribe to: Post Comments (Atom)