Technology is a wonderful thing, and I love nothing more than to experiment with it. As security professionals, its in our best interest, and the best interests of the organizations we set out to protect, to understand new technology and the implications for security. I truly believe that you cannot understand how to secure something until you’ve had some hands-on time using it. This is part of the reason why you will see us on many of the popular social networking sites such as Linkedin, Facebook, and even MySpace (I won’t link to them, but you can find both myself and Larry on at least Linkedin and Facebook by our email addresses, see the Contact Page). The latest experimenting: you can now find me on Twitter (Larry too!). These are turning out to be some fairly useful networking tools, but present some risks and interesting attack scenarios.
For example, recently Twitter added the ability to send updates to Twitter, and receive updates from the people you are “following” via Jabber. This is very handy, “TWITTER” just shows up as another entry in your buddy list. To update your own Twitter page, just send the text to the “TWITTER” buddy. When someone you follow makes an update, Twitter sends it as a Jabber IM message back to you. You can do the same thing with SMS text messages. The danger? This allows me to put content in one place, and using the Twitter network, push it to potentially thousands of people automatically! This means if you can send some sort of exploit, or even a link to an exploit, and post it to people’s twitter accounts, it gets sent to a potential wide audience. This sounds like the Smurf 2.0 attack to me (sorry, I couldn’t resist). You would of course need to hijack someone’s twitter account, or discover an XSS in the twitter web site, or some sort of authentication bypass. However, one of those vulnerabilities in the Twitter system could be extremely damaging due to the nature of the Twitter network. Not only do you have the ability to send malicious content to people’s browsers, but you can also send exploits to Jabber clients and people’s cell phones, all by just posting small amounts of content to one person’s Twitter page!
Ah, but you say, what are the chances of this type of vulnerability? Nitesh Dhajani already found one…. This vulnerability allowed anyone who knows your phone number to essentially hijack your Twitter page. I was surprised not to see this exploited in the wild.