The Perfect Twitter Spam Attack?

This morning, when I logged on to Twitter, I saw a user who I didn't recognise tweeting away in my timeline.

I wracked my brains thinking about how they could have gotten in there before I realised it was a long-dormant friend who had changed their name and avatar.

But, in thinking about how a spammer could infiltrate one's timeline, I think I came up with a fairly bullet-proof method to spam Twitter users.

I present this as an exercise in devious thinking - and also to show how our assumptions about security can play against us. Remember, hacking and impersonation are likely to be illegal in your jurisdiction.  This information is designed to help you understand how security weaknesses can occur.

Being Evil

Imagine you are a nasty, evil Twitter spammer. Your own mother wouldn't spit on you if you were on fire - that's how mean you are. Here's what you do.

1. Obtain a user's password.  Admittedly, this is the hardest part of the process. You might use a dictionary attack, use the same password they use to log in to another site, or somehow steal it.
2. Log on to Twitter.
3. Go to "Connections" and see which services they have connected to using OAuth.  For the purposes of this experiment, let's assume they use Example.com.
4. Go to Example.com and OAuth yourself with Twitter using your mark's credentials.
5. Here's where the ordinary spammer falls down.  The ordinary spammer will start sending out messages from the mark's account.  That's not the aim of this weakness.
6. From the mark's account, through Example.com, make your victim follow one of your spam accounts.  An account which exists solely to show adverts to your victim.

Your victim now sees your adverts for pills, poker and porn in their timeline.  With any luck, they'll just assume that one of their true friends is promoting your illicit wares.

Counter Attack

Most victims will assume that they accidentally followed your spam account - or that one of their friends has been hacked.

Worst case scenario, they unfollow your spam account.

So you just make them follow you again! Remember, you are still OAuth'd to Example.com. You can make them follow as many of your spam accounts as you think you can get away with.

At this point, the intelligent victim will think that their account may be compromised and change their password.

It doesn't matter! Because you have used OAuth, password changes don't affect you.  You can continue make them follow as many of your spam accounts as you think you can get away with.

At this point, the really intelligent victim will go through their OAuth connections to look for something suspicious.  They won't find it.  Remember steps 3 and 4?  You are OAuth'd to a service that your victim trusts.

Because of the way Twitter displays OAuth information, there's no way for a victim to know when a service was last authorised.

There is no information other than the first time the OAuth was set up.  No last accessed date, no IP addresses, nothing useful.

When following an account, the victim gets no notification of what has happened, when it has happened or how it has happened.  There is no way of them knowing which of their OAuth'd connections have been compromised, nor when it happened.

Their only safe option is to revoke every single OAuth connection.  Then reauthorise.  A time consuming and annoying prospect.

Conclusion

I hope I've demonstrated two things.

Firstly, there's more to spam then just sending out messages.  Forcing someone to read a message is just as annoying.

Secondly, our understanding of security and usability haven't quite caught up with the new tools which are available to us.  OAuth is still better than giving your password to an untrusted site - but without essential usability changes, a compromised account is a lot more dangerous than the user would suspect.

This "attack" still relies on a victim having their original password compromised.  That's not a trivial matter.  But security is like sexual health - it only takes one little accident...