Nicolas Seriot (Mobile Applications Developer, Swissquote Bank)

PRESENTATION TITLE:  Abusing Twitter’s API and OAuth Implementation

PRESENTATION ABSTRACT:

Since March 2013, Twitter’s new web API requires every request to be signed with OAuth. This mechanism is supposed to prevent abuse and also allow Twitter to ban third-party clients who do not adhere to their new, much stricter terms of service.

After studying how Twitter API uses OAuth, it turns out that the required authentication is inefficient in letting Twitter control third party applications. A rogue client can impersonate a ‘blessed’ client by using its OAuth consumer tokens and access the API unnoticed. Consumer tokens are supposed to be kept secret, but we’ll see various fun and dynamic reverse engineering techniques for extracting them from popular Twitter clients including the latest versions for OS X and iOS.

We also found that Twitter allows several third-party clients to redirect access tokens to a URL defined by the client. As you can impersonate the client, you can redirect the access tokens to your own pirate server. I’ll explain how to trick someone into giving you access tokens for his account without noticing and without moving away from Twitter’s secure website.

I’ll end by discussing the Twitter API from a security standpoint and explain that to a great extent, many issues are caused by a fundamental mistake – Taking OAuth authentication from the web to the desktop.

ABOUT NICOLAS SERIOT

Nicolas Seriot is an expert in OS X and iOS Cocoa development and has also written embedded applications for digital pay TV set-top boxes. Nicolas is particularly interested in data visualization, in privacy and security, and in breaking down all possible barriers using his head and his computer.

He regularly publishes his code and has made presentations at conferences such as BlackHat, DefCon, NSConference, CocoaHeads or OWASP AppSec Forum. Nicolas holds a degree in Software engineering from HEIG-VD and a Master’s degree in Economic crime investigation from HEG-ARC.  He is currently a mobile applications developer and project manager at Swissquote Bank, Switzerland.