

How I Discovered a Security Vulnerability in Twitter That Impacted 1.5M Users - sliggity
http://bostinnovation.com/2011/02/03/how-i-discovered-a-security-vulnerability-in-twitter-that-impacted-1-5-million-users/

======
stanleydrew
After reading this I have no idea how he actually discovered the
vulnerability, aside from a handwavy statement about messing with form input.

Most of the writeup is just a narrative about what he saw and who he talked to
afterwards. I'm a little disappointed. I was hoping for more technical detail.

~~~
tptacek
Presumably, he submitted a ticket, went to the ticket status page, saw a list
of tickets each with a link like
"<http://support.twitter.com/tickets/1532547>, and changed the ticket number
in the URL. It's possible that it was slightly more tricky than that (it may
be that there's a sub-URL that doesn't enforce access control, and that the
root URL always did), but from the writeup that appears to be the whole issue.

In standard Rails, which the Twitter support ticket site may very well be,
this is a one line fix; call User.tickets.find_by_id instead of
Ticket.find_by_id.

~~~
stanleydrew
Yeah, I didn't expect it to be thrilling. But some detail would have been
good. As it is I'm not really sure what the point of the post was, except to
say "Hey, I found something wrong with Twitter and then tweeted with some
famous people and then once I found the right email address I told them and
they fixed it. Oh and did I mention that it was really important because it
affected 1.5 million users?"

It would have been more useful if the author included some details and
possibly speculation (as you have provided) as to what was going on in
Twitter's ticketing setup so that we could all learn from it.

------
nbpoole
I need to get better at creating these kinds of titles for my vulnerability
writeups :P

~~~
tptacek
No, you don't. I'm very much not a fan of how this was written up. This is a
straightforward "forced-browsing"-style web bug that disclosed support
tickets. You could write an article about how support systems are often
ignored during software security projects, but that's not what this guy wrote.
I'm not really sure what he's trying to demonstrate, other than that he is
awesome and Twitter less so. Stay classy.

------
arthurgibson
"All support tickets – at the time, 1.5+ million! – were exposed"

* Was this actually 1.5M users or just tickets? Thats a lot of upset people if so.

~~~
ttol
These were users. I wrote 1-1.5 to set a wide range in case for duplicates,
but I rarely saw any. From my observation, the number is closer to 1.5 million
than 1 million (and growing by 100-200 per hour).

~~~
arthurgibson
Wow, I can't even imagine some of the filtering that needs to go on within
that system to find the legitimate tickets to address.

~~~
ttol
Most were actually legit. I asked one of the support guys how he and his team
handles the volume. He responded with his secret:
<http://twitter.com/#!/Charles/status/32971715290210304>

"@Charles Your team does a great job. 100-200 tickets _per hour_. How do you
do it?"

"@Wayne My secret is keyboard macros and Text Expander. Some days can be
pretty overwhelming though!"

------
gyardley
Wait, account passwords were visible?

Was this a case of account passwords being sent to Twitter Support by users -
'hey, I can't login, my password is bigclown' - or does Twitter Support have a
way to access the user's actual password?

If it's the latter, that's a time bomb waiting to go off.

~~~
ttol
Former. Also App developers posting their API keys and Consumer Secret keys.
So, theoretically, this would allow a malicious person to control all the
authorized accounts with that app (and these were big name apps).
Autotweeting, DMing, access private messages, etc.

~~~
abraham
Only if they both stole the consumer token and were able to phish the user
into going through the authorization flow.

~~~
tptacek
The dev that posts OAuth secrets in support tickets also probably hasn't
constructed a fortress of awesomeness around his own user's data, anyways.

------
erikabele
This reminds me of some flaw with Skype's billing system which allowed me to
download invoices for virtually every paying business customer just by
replacing some chars in a URL. The invoices included a lot of personal details
together with various bank account & phone numbers.

Took me 8 months to get someone at Skype to acknowledge the issue; to my
knowledge it was never escalated. Wouldn't be surprised if it's still there...

------
kmccarth
Twitter Support gets about 100-200 tickets per hour

~~~
coderdude
Yeah it says so in the blog post. Which I just realized you are the author of.

~~~
kmccarth
co-founder, yup

~~~
coderdude
It's a great looking site. You've got something good on your hands here. I
wish you and your co-founders the best of luck.

------
jdp23
Good writeup.

Was the vulnerability in Zendesk or in how Twitter had configured the system?

~~~
ttol
I asked the same thing but was told that Twitter couldn't disclose this to me
because of their NDA and other confidentiality agreements. Who is actually at
fault is unclear. I wasn't able to reproduce this on Groupon or Rackspace
Cloud's Zendesk though, but that doesn't say anything definitive.

~~~
jdp23
belated thanks for the response. i guess we'll never know.

------
tptacek
You usually don't have to write headlines like "1.5M users compromised!" to
get people to fix trivial web flaws. Also, before asking VC's and posting
public Twitter messages and spending two days trying to track down a security
contact, try mailing "security@" _first_ ; as you discovered, that sensible
default generated an immediate response.

 _Edited out "not '96 anymore", the word "breathless", and my assessment of
his effort to track down security@ as "hinky"; I wasn't happy with the tone of
this comment in retrospect either._

~~~
ttol
No, the security pages were put up after I talked to Bob. (Those are new pages
and are about a week old. They were put up precisely because it wasn't easy
for people to report security issues.). Also the headline wasn't written by
me. Boston Innovation editors modified it. My original headline is on my
website at waynechang.com. And yes, it was hard to get a hold of someone -- I
spent two days. Emailing security@twitter.com was less obvious then, since
emailing support@twitter.com sends back a form rejection letter (try it).

~~~
tptacek
You're right. The headline on _your_ site is "How I Discovered A Security
Vulnerability In Twitter"; the "I found another security vulnerability that
impacted 1-1.5 million Twitter accounts." copy is in your _subhed_. My
mistake.

