Skip to main content

Twitter OAuth feature can be abused to hijack accounts, researcher says

posted onApril 15, 2013
by l33tdawg

A feature in the Twitter API (application programming interface) can be abused by attackers to launch credible social engineering attacks that would give them a high chance of hijacking user accounts, a mobile application developer revealed Wednesday at the Hack in the Box security conference in Amsterdam.

The issue has to do with how Twitter uses the OAuth standard to authorize third-party apps, including desktop or mobile Twitter clients, to interact with user accounts through its API, Nicolas Seriot, a mobile applications developer and project manager at Swissquote Bank in Switzerland, said Thursday.

Twitter allows apps to specify a custom callback URL where users will be redirected after granting those apps access to their accounts through an authorization page on Twitter's site. Seriot found a way to craft special links that, when clicked by users, will open Twitter app authorization pages for popular clients like TweetDeck. However, those requests would specify the attacker's server as callback URLs, forcing users' browsers to send their Twitter access tokens to the attacker.

Source

Tags

Twitter OAuth Security HITB HITB2013AMS Netherlands

You May Also Like

Recent News

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th