Have you used Twitter Grader?
If so, you’ve just fallen prey to your account being hacked. Don’t worry, your password is safe, but this application just sent out link spam as you.
You’re not alone.
The attacker apparently got in through a hole in Twitter Grader that allowed him to send tweets through every user that authorized Twitter Grader. Ever.
That’s a scary thought, but it’s going to be more common as an API based world takes over. It already happens in Facebook. Every application you authorize brings up an omnious looking dialog box.
Allowing Pet Society access will let it pull your profile information, photos, your friends’ info and other content it requires to work.
Why does this application need all that?
Didn’t API designers ever hear of the principle of least privilege?
The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning.
Once you get on the road of API security, you still have to worry about revoking access when it’s no longer needed, also a central tenet in computer security.
Twitter allows this in a backhanded fashion. The onus is put on the user to remember that they authorized an application. Sometimes, these applications can lurk for months and still have Read and Write access to your twitter account:
Pop Quiz: Out of all of these applications, which ones do I really need to have perpetual access to my account?
None of them.
Asking ourselves “Why”?
If we pop the Why Stack, we find out how to keep this from happening again:
1. Why did this attack work? Because Twitter Grader used Read/Write Access to Perform its function.
2. Why did TG use Read/Write access? So it could send out a tweet telling others about twitter grader after they used the service.
3. Why did it keep R/W access? Because there is no mechanism in place to automatically revoke it after it’s done.
4. Why isn’t there a mechanism in place? Because we didn’t write one.
Lessons Learned:
1. Always revoke application access to your account after whatever you use has fulfilled its purpose.
2. Never give any application your OAuth token if you aren’t completely comfortable with it tweeting as you.
3. Security fundamentals aren’t.
Update:
- Dharmesh Shah of Hubspot wrote up the analysis of the attack and an apology.
- The Guardian posted an online article about the incident.