Security researcher Henry Hoggard recently discovered a cross site request forgery (CSRF) vulnerability in Twitter’s “add a mobile device” feature, giving him the ability to read direct messages and tweet from any account.
Hoggard, a security researcher at MWRInfosecurity, told Threatpost via email that he found the bug in his spare time and reported it to Twitter. Twitter then resolved the vulnerability within 24 hours. Hoggard then posted the details on his personal blog.
A CSRF vulnerability forces a user to execute unwanted actions in an application or service for which that user is already authenticated. These attacks generally involve some social engineering such as sending an email with a malicious attachment. When successful, an attacker can wrest control of a user’s account, which could have a wide range of impacts depending on the application in question and the level of rights granted to the targeted user.
In this case, Hoggard found the CSRF bug in a Twitter feature that gives users the ability to add a mobile device to their account and control that account via SMS using the mobile device added.
By creating a CSRF page, Hoggard realized that an attacker could enter his own phone number and network to the victim’s account. Of course, Twitter built an authentication token into the feature that should have prevented this sort of attack. Unfortunately, Twitter was not actually checking to make sure that the token-value was correct, which means that an attacker could enter any value whatsoever for the token and still get validated.
Hoggard claims that an attacker could compromise a victim account by sending the targeted user a link to a malicious website containing his exploit code (the CSRF page plus a link to Twitter’s “add a device” activation page).
If the user clicks the link, he or she will be unwittingly initiating the process to authenticate the attacker’s device. Twitter, therefore, would be waiting for someone (in this case the attacker) to text “GO” to the mobile short code number that activates the device.
Once this is done, the attacker would receive a device activation notification and would now have the ability to send and receive tweets by texting his or her desired message to the same mobile short code number.
Users with the No-Script extension installed on their browser would not have been affected by this vulnerability even before Twitter fixed it, according to the researcher.
Twitter did not respond to a request for comment, but Hoggard provided communication logs between himself and the social network’s application security team, noting that Twitter fixed the bug incredibly quickly. The logs show that Twitter received his bug report on the morning of November 3, requesting that Hoggard not publicize his findings immediately. Early that same afternoon, the logs indicate that Twitter had resolved the issue.