Mastodawn

Graywulf Dolfinson (Esquire)Sep 27, 2024

A pretty clever phishing email: I got a message warning me that my Twitter account was about to be suspended for suspicious activity, inviting me to click a button to prevent this. The URL the button went to *was* an x.com link, but it used a security vulnerability in Twitter's backend that allowed redirections to push me to an OATH server that would prompt me for my Twitter login and 2FA, and then send the attacker a valid token they could use to take over my account:

Cory Doctorow Sep 27, 2024

Here's the (redacted) attack link:

https://x.com/ [BREAK INSERTED] i/oauth2/authorize?response_type=code&client_id= [UNIQUE ID REMOVED] Q&redirect_uri=https%3A%2F%2Ftwo.opensourced.us%2Fapi%2Fcallback%3Fi%3Dtwit&scope=tweet.read+users.read+mute.write+tweet.write+tweet.moderate.write+offline.access&code_challenge= [UNIQUE ID REMOVED] &code_challenge_method=plain

X. It’s what’s happening

From breaking news and entertainment to sports and politics, get the full story with all the live commentary.

X (formerly Twitter)

@pluralistic hm. Twitter shouldn't be automatically authorizing OAuth2 requests.

My assumption here is that you logged into some random app with your twitter account, and the twitter account of whoever setup that app got hacked or sold their account, OR someone let that opensourced.us domain expire and an attacker bought it?

John Blair Sep 27, 2024

@tay @pluralistic if that's correct, this attack is available through a lot more Oauth2 users than xitter!

John Blair Sep 27, 2024

@tay @pluralistic for example, wise offers google as a sign-in option, but they do what you suggest and require me to use their app to finish my sign in.

blaine Sep 27, 2024

@pluralistic you should have gotten a confirmation page at that link, asking if you wanted to give those permissions to the remote site?

Normally the initial setup tokens are only good for a very short time for exactly this reason - use it as part of an interactive process or not at all.

X should also drop-kick that client app ASAP; one of the important protections oauth gives is the ability to retroactively restrict API clients.

Good job catching it!

Cory Doctorow Sep 27, 2024

@blaine I didn't click the link, so I can't confirm that behavior.

Cory

blaine Sep 27, 2024

@pluralistic a good policy!

It was almost certainly safe to click the link, but less savvy folks could easily be phished in that sort of a scenario (people love clicking that OK button!).

I haven't thought about the details of this stuff in aaaages but there should be a referrer check in there as well that would prevent the attack from working at all.

Jim Infantino Sep 27, 2024

@pluralistic x lets you do redirects? wtaf? Turns it into the skeeziest VPN ever. Thanks for the heads up.

Daniëlle 🏳️‍🌈 דניאל 📎 𐑛𐑨𐑵𐑦𐑤 Sep 27, 2024

@pluralistic Wow, that sounds really sneaky! It's crazy how clever some phishing attempts can be.

CV Sep 27, 2024

@pluralistic xitter allowing redirect attacks is wild. What a dereliction of duty.

Kat the Leopardess Sep 27, 2024

@cavasquez @pluralistic The irony is not lost on me. He used to block Fediverse links and shadowban sex workers woth the fake "concern" that those are links which pose a security risk

KanaMauna Sep 27, 2024

@pluralistic Well that’s yet another way Xitter is eliminating its user base

TC Won't Give In To Lies Sep 27, 2024

@KanaMauna @pluralistic
I'm still stunned Twitter has any users. This is just one more reason to delete the app.

Dwight Silverman Sep 27, 2024

@pluralistic I’ll add my voice to the “get your ass off Xitter, NOW” chorus. From abuse, Nazis, rampant misinformation and a batshit crazy owner, and now this, it’s not worth it.

Bytebro 🇬🇧 🇺🇦 🇬🇱Sep 27, 2024

@pluralistic Useful AF. Thanks for the heads-up.

72mz Sep 27, 2024

@pluralistic
Why stay there?

Big Head Tales Sep 27, 2024

@pluralistic Good warning to anyone still using the Twitter platform.

I wonder if the vulnerability is being left open on purpose as a favor for Putin by his minion Musk.

Andrew 🌻 Brandt 🐇Sep 27, 2024

@pluralistic it's enshittification all the way down

Lstn2urmama 🇨🇦Sep 27, 2024

@pluralistic Nothing can be trusted there X as Xcorp has figured out how to block anyone reaching me in loops and cannot get my notifications ... I refuse to pay for that drivel and my own content......

@stevewfolds Sep 27, 2024

@pluralistic I never click email links logins, always revert to the source.

Oliver Sampson Sep 27, 2024

@pluralistic Wow. That's clever.

Dihydrogen Monoxide, 🍽 & lit.Sep 27, 2024

@pluralistic what was in the OAuth login link URL, how was it?
(anything to look for from button-click phishing attackers?)
Edit - Oh, you put it under. 👍

Winter Trabex Sep 27, 2024

In either Red Team Blues or the Bezzle, I don't remember which, Hench was thinking about security vulnerabilities. He said something said, "It's better if the box (the vulnerability) doesn't exist."

In this case, I'd say the vulnerability is you still having an account on Twitter. Nevermind that you hardly post there. The account itself is a risk.

@trabex
If you delete your Xitter account, then anyone can come along and create a new account with the same handle, and start pretending to be you. And we all know Musk won't do anything about it. So that's probably why @pluralistic still has an account there.

unexpectedteapot Sep 27, 2024

@pluralistic that brings me to question if HTTP redirects was a good idea in the first place.

Tagaziel Sep 27, 2024

@pluralistic
That's actually pretty clever. I got targeted by an account hijacking scam on Discord that was basically 100 percent social engineering, and it made me realize just how vulnerable everyone truly is - and no amount of security will swap out the weakest link.

Sashin Sep 27, 2024

@pluralistic Hmmm... if it were mastodon instead they would have to have a link to every different server rather than a single link...

CaptMorgan Sep 27, 2024

@pluralistic Easy fix, why are you still using Twitter?

Adlangx Sep 27, 2024

@pluralistic "inviting me to click a button to prevent this."

Never never.

Brokar Sep 27, 2024

@pluralistic Sorry, but since there is so much fishing goin on i never again click any link in any email.
If this is a genuine email about something i can certainly log into the website directly and find there whatever the email wants me to act on or remind of. If i can't find it then it cannot be that inportant or ... i just delete the email because it's fake!

This will 100% protect me from fishing emails unless Thunderbird has a zero click bug (i hope not 😉, fingers crossed).

SpaceLifeForm Sep 27, 2024

Smells like Twilio.

Fred Moyer Sep 28, 2024

@pluralistic a similar exploit struck Yahoo pipes in 2009. It managed to get me.