asfws 2012 - contourner les conditions d’utilisation et l’api du service twitter par nicolas...
DESCRIPTION
TRANSCRIPT
![Page 1: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/1.jpg)
Application Security Forum - 2012Western Switzerland
7-8 novembre 2012Y-Parc / Yverdon-les-Bainshttps://www.appsec-forum.ch
AbusingTwitter APINicolas Seriot
![Page 2: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/2.jpg)
![Page 3: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/3.jpg)
Bio
• Cocoa developer
• HES Software Engineer
• MAS Eco. Crime Investigation
• Twitter user since July, 2008
• Father of a newborn
![Page 4: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/4.jpg)
Agenda
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
![Page 5: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/5.jpg)
2006 2007 2008 2009 2010 2011 2012
5000 22501M65
140M340M
Twee
ts/d
ay
promo.tweetsmobile
promo.tweetsweb
verifiedaccounts
(celebrities)Twitterlaunch
trendingtopics
nomoreRSS
last OS X client update
TweetDeckbuyout
Tweetiebuyout
DickCostolo
CEO
stricter ToS,display guidelines
API
HTTP Basic AuthenticationOAuth API v. 1.0
v. 1.1
now $8 billion valuation,top-10 most visited websites
![Page 6: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/6.jpg)
March 2013: Maximum Evilness
“We’re trying to limit certain use casesthat occupy the upper-right quadrant.”
https://dev.twitter.com/blog/changes-coming-to-twitter-api
![Page 7: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/7.jpg)
https://dev.twitter.com/terms/display-requirements
• The author’s name and @username must be displayed to the right of the avatar.
• Reply, Retweet and Favorite Tweet actions must always be available.
• No other 3rd party actions similar to Follow, Reply, Retweet may be attached to a Tweet.
• The Twitter logo or Follow button for the Tweet author must always be displayed.
• The Tweet timestamp must always be linked to the Tweet permalink.
• A timeline must not be rendered with non-Twitter content. e.g. from other networks.
![Page 8: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/8.jpg)
"Developers ask us if they should build client apps that mimic or reproduce
the mainstream Twitter consumer client experience. The answer is no."
"We need to move to a less fragmented world, where every user can experience Twitter in a
consistent way."
https://groups.google.com/forum/#!msg/twitter-development-talk/
yCzVnHqHIWo/sC34r_ZyMLYJ
• Max. 100’000 users per Twitter client app.
• “Twitter discourages development in this area” https://dev.twitter.com/terms/api-terms
![Page 9: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/9.jpg)
"Twitter obviously wants to make money by advertising in the stream. This will be impossible if all of the mechanisms aren't implemented to spec
within a client. They need full control of how the information is presented, and do not have the bandwidth to micromanage ads with third
parties to prevent fraud, poor presentation, etc,"
http://www.theverge.com/2012/7/9/3135406/twitter-api-open-closed-facebook-walled-garden
Developers ♥ Stupid Rules!
![Page 10: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/10.jpg)
Breaking the Rules
• OAuth authentication for every API request
• "We reserve the right to revoke your app" https://dev.twitter.com/terms/api-terms
• Can a rogue client spoof the identity of a regular client and use the API as it wants?
![Page 11: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/11.jpg)
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
![Page 12: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/12.jpg)
http://hueniverse.com/2007/09/oauth-isnt-always-the-solution/
![Page 13: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/13.jpg)
@nst021 bitly Twitter
request_token
authorize
“Use my account”
access_token
home_timeline green coin is for bitly and
@nst021
OA
uth
/ Web
![Page 14: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/14.jpg)
@nst021 / iOS Twitter
request_token
authorize
access_token
home_timeline green coin is for bitly and
@nst021
OA
uth
/ Des
ktop
![Page 15: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/15.jpg)
@nst021 / iOS Twitter
request_token
authorize
access_token
home_timeline green coin is for bitly and
@nst021
consumer_secret
consumer_key
access_secret
access_key
verifier
request_secret
request_key
PIN
: 3 p
hase
sA
uthe
ntic
atio
n
![Page 16: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/16.jpg)
@nst021 / iOS Twitter
access_token
home_timeline green coin is for bitly and
@nst021
consumer_secret
consumer_key
access_secret
access_key
username
password
xAut
h: 1
pha
seA
uthe
ntic
atio
n
![Page 17: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/17.jpg)
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
![Page 18: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/18.jpg)
/usr/bin/strings
$ strings /Applications/Twitter.app/ \ Contents/MacOS/Twitter
3rJOl1ODzm9yZy63FACdg5jPo**************************************
![Page 19: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/19.jpg)
Test the Tokens
demo
#!/usr/bin/env python
import tweepy
CONSUMER_KEY = '3rJOl1ODzm9yZy63FACdg'CONSUMER_SECRET = '5jPo**************************************'
auth = tweepy.OAuthHandler(CONSUMER_KEY, CONSUMER_SECRET)auth_url = auth.get_authorization_url()print "Please authorize:", auth_url
verifier = raw_input('PIN: ').strip()auth.get_access_token(verifier)
print "ACCESS_KEY:", auth.access_token.keyprint "ACCESS_SECRET:", auth.access_token.secret
![Page 20: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/20.jpg)
/usr/bin/gdb$ gdb attach <PID of OS X accountsd>
(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po $raxtXvOrlJDmLnTfiUqJ3Kuw
(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po $raxAWcB**************************************
![Page 21: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/21.jpg)
/usr/bin/gdb$ gdb attach <PID of iPhoneSimulator accountsd>
(gdb) b -[OACredential consumerKey](gdb) finish(gdb) po (int*)$eaxWXZE9QillkIZpTANgLNT9g
(gdb) b -[OACredential consumerSecret](gdb) finish(gdb) po (int*)$eaxAau5**************************************
demo
![Page 22: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/22.jpg)
Logging Freed Strings
$ sudo dtrace -n 'pid$target::free:entry { \ printf("%s", arg0 != NULL ? \ copyinstr(arg0) : \ "<NULL>"); }' -p 10123
![Page 23: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/23.jpg)
Objective-C Variant@implementation NSString (XX)+ (void)load { Swizzle([NSString class], @selector(dealloc), @selector(my_dealloc));}- (void)my_dealloc { NSLog(@"%@", self); [self my_dealloc];}@end
(gdb) p (char)[[NSBundle bundleWithPath: @"/Library/Frameworks/XX.framework"] load]
![Page 24: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/24.jpg)
Other Techniques
• Memory dump
$ sudo ./gcore64 -c /tmp/dump.bin 4149
$ strings dump.bin | sort -u > /tmp/dump.txt
# key=consumerSecret&$ egrep "[a-zA-Z0-9]{20}&$" /tmp/dump.txt
• Google…
![Page 25: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/25.jpg)
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
![Page 26: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/26.jpg)
OS X Twitter Credentials
Accounts.framework
@nst021xxxxxx
![Page 27: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/27.jpg)
STTwitterAPIWrapper
+ twitterAPIWith... - getHomeTimeline - postStatus
STTwitterAPIWrapper
+ twitterAPIWith... - getHomeTimeline - postStatus
STTwitterOAuthProtocolSTTwitterOAuthProtocol
STOAuthOSXSTTwitterOAuth
STOAuthOSXSTHTTPRequest
Accounts.frameworkSocial.framework
STTw
itter
can use OS X consumer tokens…
…or can use custom consumer tokens
![Page 28: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/28.jpg)
demo from 55.750984, 37.617571
STTwitter
https://github.com/nst/STTwitter
![Page 29: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/29.jpg)
TwitHunter
https://github.com/nst/TwitHunter
![Page 30: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/30.jpg)
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
Agenda
![Page 31: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/31.jpg)
1. Taking OAuth from web to Desktop was a conceptual error. Consumer tokens simply just cannot be kept secret on the Desktop.
2. Twitter cannot realistically revoke keys from popular clients, especially from OS X / iOS.
3. xAuth brings nothing more that HTTP Digest Authentication, and sends password in the request token phase.
4. OAuth cannot reliably identify the client, and additionally puts the users at risk.
OAuth Session Fixation Attack Demo
![Page 32: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/32.jpg)
![Page 33: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/33.jpg)
5. I have to conclude that the real grounds for using OAuth is neither “security” nor spam fighting but desire to control third-party client applications to please big media, consumers and advertisers.
6. Sadly for Twitter, ensuring that the requests come from a certain client application is a very hard problem, and I am not sure if it can be solved.
![Page 34: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/34.jpg)
Recap
1. Twitter
2. OAuth
3. Ripping Consumer Tokens
4. iOS / OS X + STTwitter
5. Discussion
![Page 35: ASFWS 2012 - Contourner les conditions d’utilisation et l’API du service Twitter par Nicolas Seriot](https://reader030.vdocument.in/reader030/viewer/2022020206/5406fad78d7f7288088b491f/html5/thumbnails/35.jpg)
Twitter: @nst021
Web: http://seriot.ch/abusing_twitter_api.php
Slides: http://www.slideshare.net/ASF-WS/presentations