Where developers come to connect, share, build and be inspired.

18

Twitter OAuth2 is vulnerable

1375 views

endorse

I contacted Twitter months ago stating that I had their private keys and that I would like to help them fix it. Almost 4 months later, I have yet to recieve a response after contacting them multiple times.

This effects all OAuth applications as far as I know.

Here's an OAuth config that I use for a program of mine

$ cat api.config | cut -d ' ' -f1 #-f2 are the key values
#
consumer-key
consumer-key-secret
access-token
access-token-secret

$ cat api.config | cut -d ' ' -f2 | awk '{print length($0);}'
6
22
42
50
43

$ # 22 = consumer-key # 42 consumer-key-secret

$ # just to be sure

$ cat api.config | cut -f2 -d ' '| awk '{ print length($0) " " $0;}' | grep -B1 -A1 "^22 "

22 XQbBbFTak71nLGZrkPBLxQ
42 hECix6VJ1S6EETAdNERiuibJSnJ9PhtaxAzorkzSrw

Using the same logic to find the OAuth keys in TweetDeck

$ strings ~/.wine/dir/Twitter/TweetDeck/TweetDeck.exe > tweetdeck.strings

$ cat tweetdeck.strings | awk '{ print length($0) " " $0;}' | grep -B1 -A1 "^22 " | head -2
42 3neq3XqN5fO3obqwZoajavGFCUrC42ZfbrLXy5sCv8
22 yT577ApRtZw51q4NPMPPOQ

--- side by side ---

-- my private consume key

XQbBbFTak71nLGZrkPBLxQ

-- tweetdeck's

yT577ApRtZw51q4NPMPPOQ

-- my private consume secret

hECix6VJ1S6EETAdNERiuibJSnJ9PhtaxAzorkzSrw

-- tweetdeck's

3neq3XqN5fO3obqwZoajavGFCUrC42ZfbrLXy5sCv8

Thanks for reading

Comments

Add a comment