F**k That; Love The Tool You’re With window.resize firing frequency in browsers
Dec 31

Not just social history, actual information from Twitter

Security, Tech with tags: Add comments
<html>
<head>
<script>
 
document.write("This page should show you your twitter info if you're logged in. (If you see a login box make sure you're logged into Twitter)<br/><br/>");
 
// forgive the document.write ugliness
function orly(data)
{
document.write("Your username is "+data[0]['user']['screen_name']+"<br>");
document.write("Your real name is "+data[0]['user']['name']);
 
}
</script>
<script src="http://twitter.com/statuses/user_timeline.json?count=1&callback=orly"></script>
 
</head>
<body>
 
</body>
</html>

What is that is all it took to grab your username and even real name out of Twitter? Try it, it works.

Yowser?!

(via Bill Zeller)

12 Responses to “Not just social history, actual information from Twitter”

  1. Jason Harwig Says:

    There is a lot of info in there including lat/long if the user uses a location aware twitter client.

    Simple fix would be to send only a json object back. Instead of the orly function call.

  2. Bill Zeller Says:

    I noticed this when Dion linked to “My First Follow”:
    http://dcortesi.com/tools/my-first-follow/
    (it’s how they determine your username).

    That site doesn’t appear to be doing anything malicious with your data, but any site you visit could identify your twitter username or your real name, if you’ve set it.

  3. David Says:

    @Jason: Sending a JSON object back instead of using the JSON-P callback wouldn’t change anything — the same information would be exposed, it’d just be *slightly* more difficult to retrieve. The “fix” would be to not have API methods that return the current user’s information without needing an ID provided.

    Or, rather, the fix would be to move to *not* using HTTP auth. As it is, any page on the ‘net can do things like post a new tweet, or send a direct message, or update your profile…

  4. Dave Johnson Says:

    The fix is to return back just the JSON and enclosed in a JavaScript comment, or a while (true) loop or prefixed with throw. This is a problem with any web auth API that returns JSONP. XMLP on the other hand … :)

  5. Carter Rabasa Says:

    I agree with David. Isn’t this simply a consequence of Twitter having a ridiculous API? HTTP-Auth, no remote keys for 3rd party use, etc etc.

    I have no idea how this could be fixed by returning the data in a different format. Data is data, right?

  6. Dr Nic Says:

    Is this article + comments about Twitter having a useful API or an unsecure API? If its the latter then I disagree. The data is publically available on the html page so why not make it accessible via a JSON+callback API? If twitter don’t provide the API then any one can still write their own server-side API to do the HTML parsing.

    Sorry if I’m confused about some unspoken error of publishing otherwise public data via an API. Is this bad/wrong/evil?

  7. Jason harwig Says:

    @David I haven’t seen a working case of json object hijacking. Json array hijacking, yes, but only in firefox 2.

    @dave wrapping output in comments is considered more dangerous as any arbitrary script could be injected. See d crockford for details.

    @drnic the issue is privacy. All your twitter info is available to any site without your knowlege.

  8. David Says:

    @Jason: Hijacking isn’t the problem — it’s all public data, after all. The problem is that Twitter’s API lets sites request it without needing to know anything about you. They can send an API request that will return your twitter name if you’re logged in.

    The secondary issue is that, knowing that you’re logged in, they can then use that same API to change your twitter account.

    I feel that the way to solve this problem is twofold:

    (a) don’t have methods that return information based on the currently logged in user
    (b) switch to a non-HTTP Auth method of determining the current user. (I.e. an API method that provides a session-key that has to be used to interact with any of the authentication-required methods.)

  9. Damon Says:

    I was surprised to see Twitter allowed this as well when I created the firstfollow thing on dcortesi.com.

    re: being able to change somebody’s Twitter account:
    You’ll notice if you try to access any methods that contain private data (replies,dm’s) or update the account, Twitter requests authentication. Granted it’s not tough to get people to put in their password (as I showed with my twitter awesomeness site, heh).

    The other problem is that if somebody _does_ auth to the “API” at any point in a browsing session, another site could gain access to that private data as the browser caches basic auth credentials.

    I do also agree that this is a fairly significant privacy leak and one of the reasons I browse with the NoScript extension.

  10. P-O Says:

    Hmmm interesting
    I guess we always have to expect bugs like that, it wasen’t the firs and it will not be the last bug…

  11. Dave Johnson Says:

    @jason a link to any articles by crockford on that subject would be good. AFAIK as long as the returned data is in comments it cannot be hijacked nor is there any callback function so you are as safe as you are gonna get.

  12. Jason Harwig Says:

    @Dave Johnson

    Crockford’s reply in the comments
    http://tedhusted.wordpress.com/2007/04/10/fortifying-ajax/

    Dojo also removed support for comment prefixing in their last release due to the same vulnerability

Leave a Reply

Spam is a pain, I am sorry to have to do this to you, but can you answer the question below?

Q: What are the first four letters in the word British?