Pranav Hivarekar's Security Blog

REST-API Lover | Security Researcher | API Coder | Ambivert | GET /noob

Home     About      Favorite Books      Favorite Bugs     

Twitter's Bug - Importing contacts (OAuth Flaw)

Introduction About Twitter's OAuth Integrations

Twitter is using many third party OAuth integrations like Gmail, AOL, Outlook, Yahoo, etc. These third party integrations are used so that they can provide an easy way for their users to Import Contacts from these sites.
eg. If an user is having many email contacts but user is new to twitter so directly importing contacts from the email service will find all his/her friends on twitter.
import contacts

The Story Of The Hack

Outlook's OAuth used on twitter was deprecated. You can read about OAuth 2.0 here.

When user clicks on the Outlook icon. The request sent looks like

https://login.live.com/oauth20_authorize.srf?state=redacted&scope=wl.basic%20wl.emails%20wl.contacts_emails&redirect_uri=https%3A%2F%2Ftwitter.com%2Finvitations%2Foauth_landing&client_id=000000004403A722&response_type=code

Note the redirect_uri parameter. It is set to https%3A%2F%2Ftwitter.com%2Finvitations%2Foauth_landing.
Now, we can change redirect_uri to any twitter's url.
eg. any *.twitter.com was accepted as it was using a deprecated version.

Also, make note of response_type=code. It states that twitter has implemented a Server-side OAuth flow. After getting code twitter makes a request to server and collects access_token. Using this access_token twitter imports contacts from Outlook.

So, my job was to steal code. Attack vector to steal code is via referrer header. This was the most hardest job ever. As twitter uses a link shim t.co.
eg. When user posts any link on twitter then it gets converted to some link like http://t.co/anything.

When user visits the http://t.co/anything then it redirects to the site but wait ...
It removes off referrer header from the request. So, we cannot use it to leak code via referrer.

I was like
smiley

Then I noticed that any *.twitter.com is allowed. So, it was my turn to flip the game over twitter. So, I found a page in OAuth implementation which can be used to leak code via referrer.

Game starts now ...!

I created an app. Now, I implemented a Login via twitter on my own site. So, when user clicks Login via twitter then OAuth token gets created. Simply, it looks like

Pranav's app

When user presses Cancel then it goes to this page. And we can use this end point to leak code.

not signed in

Now, I researched more and found that once oauth_token has been cancelled, it can still be used to leak code (Just sending it to another user.)
eg.https://api.twitter.com/oauth/authorize?oauth_token=1BXYoJbg57y8iPjuOn1MHI8HTFdXubvc

Now, final exploit link looks like --->

https://login.live.com/oauth20_authorize.srf?scope=wl.basic&redirect_uri=https://api.twitter.com/oauth/authorize?oauth_token=AN1mm9vVN1BUDeBWCHCfINHJBkjAytPs&client_id=000000004403A722&response_type=code

Note the redirect_uri=https://api.twitter.com/oauth/authorize?oauth_token=1BXYoJbg57y8iPjuOn1MHI8HTFdXubvc.

Send the above link to any random victim on the web and it will get you code via referrer (A single click by victim is required). So, game over ...! ;)

request details

Replies from Twitter

First they denied to accept it as a vulnerability and gave reason as the data here is coming from somebody like microsoft instead of twitter though.

I explained the whole several times. Then they came to agree and rewarded me minimum bounty. I asked about clarification again. See the reply

twitter reply

They mistook this attack as victim clicking Login via twitter from my malicious site but it was not the case. I explained them again. But they are interested in bugs like Xss, Csrf, Rce, etc.

But I am very happy with my research and discovery. So, at this time I am like

Happy cartoon

Thanks for devoting time and reading this discovery. I will be glad to see comments about this hack.
You can stay in contact with me(Pranav Hivarekar) on Facebook and can follow me on Twitter.