HOME
ABOUT ME
ADA
ANAIS
SKY


View All Tags

Monday January 05, 2009 at 16:03

Permalink ∞  |  Tags  Twitter    hacks  

Twitter’s Cookie Fiasco - Authentication the Wrong Way

Twitter has come under attack the last couple of days because of a phishing scam.  After looking at this scam, and thinking about how Twitter maintains a user’s session, I decided to play around a little bit with my account.

First, I’m using Safari on OSX, but all browsers have the same problem, it’s just easier to explain with Safari.  When you log into Twitter, it sets several cookies.  Each of these are tied to your account.  Fortunately, the cookie ID, though the same in each of them (first x digits) is not your user id.  However, after taking a closer look, I realized that since all of these are stored in Cookies.plist in the user’s Cookies directory, it would be very simple to modify the plist with a plist editor.  Getting the right combination is actually very difficult, and since my goal was not to hack another user’s account, I decided to test my initial theory.  Since Twitter does not re-authenticate the user with each session, and instead relies on cookies, what if I copied my Cookies.plist and saved it for later?  I made a copy, removed all my cookies, and went back to Twitter.  It correctly asked me to log back in.  Closed the browser, over-wrote Cookies.plist, and re-opened my browser.  When I went to Twitter, it believed I was already logged in, and therefore didn’t ask for any credentials.

Test one was a success, or a failure depending on your point of view.

The second test is a bit more scary.  Since I have this Cookies.plist file, what if I changed my password?  So, I went into Twitter, changed my password, logged out, deleted my cookies, and closed the browser.  I then copied my Cookies.plist file back (a file with a different password authentication) and started over again.  To my horror, when I went to Twitter, it believed I was logged in, even though I had changed the password.  Now granted, in order to change the password you have to know your password, but this got me thinking.  I don’t have to know anything to change my email address.  I changed my email address, and then changed my password.  I deleted my cookies again, and went back to Twitter.  I proceeded to ask Twitter to send me my password, since I no longer knew it.  In a couple of minutes, I got my password, at the new email address I had set up.

Conclusion, until Twitter changes the way in which users authenticate, no compromised account is safe.

-Update: In order for this to work, you must check the “Remember Me” box when you log in the first time.

← Previous Post Next Post →

Name: Gabriel (Gabe Ingram)

Birthday: 8/21

Occupation: Reluctant Programmer. I''ve been programming in Coldfusion since 1999.  From 2000 to 2008, I was the Application Team Lead for Interactive Media.  During that time, I was responsible for maintaining and developing all of the sites and portals for HamptonRoads.com and PilotOnline.com.   I was the lead developer for the HamptonRoads.com and PilotOnline.com migration from ColdFusion site to Drupal.  I recently left Interactive Media, and have returned to ColdFusion coding for a company in Greensboro, NC.

Education: BA in History, BA in philosopy, MA in Humanities. Like I said, I''m a reluctant programer.

Interests: Too many to mention, just look at all the stuff on the site and you''ll get an idea of what interests me.  My wishlist is also a good place to see what I''m interested in.

Current Obsessions: iPhone, Jailbreak, Nintendo DS, Jazz , Apple/Mac, William S. Burroughs and comic books.

About the Site: I started this site in 1999.  It has gone through 6 distinct re-designs, and I have switched platforms four times.  The site is now hosted through Tumblr.

CLOSE BIO