Twitter rapidly fixes CSRF account control exploit

Twitter users can sleep easy after the company fixed a bug that briefly allowed accounts to be exploited using a cross-site request forgery [CSRF] error.

The bug, discovered by Henry Hoggard at MWRInfosecurity, used Twitter’s “add a mobile device” feature to allow direct messages to be read on any account and tweets to be sent.

Hoggard discovered the bug during his spare time, according to ThreatPost, and once he had informed Twitter of the problem it was fixed within 24 hours.

The CSRF flaw found in Twitter was executed using the social networking site’s feature that allows any user to add a mobile device by SMS to control a Twitter account.

In this case Hoggard created a CSRF page on which an attacker could enter a phone number and network onto a victim’s account and bypass an authentication token that Twitter had implemented to prevent this taking place. Hoggard was able to get past this as Twitter wasn’t making sure the token value was correct and meant that an attacker could input any value and it still be seen as valid.

Hoggard explained that by using social engineering the attacker could make the target visit a web page with the exploit code on it. When this happens the attacker can simply text “GO” to the mobile short code given for the device and this will mean a confirmation SMS will be sent to the activated device indicating that the user account can be controlled.

ThreatPost reports that Hoggard showed the publication a communication log between him and Twitter’s application security team that showed the speed with which the microblogging service fixed the bug. Hoggard informed the security team of the flaw on the morning of the 3 November and by the early afternoon it had been resolved.

A DOSarrest Internet Security report last month found that CSRF flaws were found in 67 per cent of website scans and that the flaws were dangerous to end consumers due to the scope for identity theft using the method.