Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Impossible to Maintain Secure Session With Twitter.com Web Interface
From: Sam Quigley <quigley () emerose com>
Date: Sat, 1 May 2010 13:47:22 -0700

iSEC Partners Security Advisory - 2010-001-twitter https://www.isecpartners.com

[…]
2010-04-26: Twitter asserts that it is now possible to maintain an HTTPS
            session if the session begins with HTTPS; i.e. users can
            navigate to https://twitter.com to start an HTTPS session.
            However, https://twitter.com/ contains HTTP resources, including
            a JSON response from http://twitter.com. An active network
            attacker could potentially use this weakness to insert their
            own code into the page and maintain control over the user's
            session.


Also worth noting that, until yesterday, all SSL pages (including sensitive ones like /oauth/authorize) loaded 
Javascript from maps.google.com without using SSL.  Like the issue iSEC identified above, this has now been fixed.

Also yesterday, they (finally) disabled unsafe SSL renegotiation, thus blocking the credential-stealing attack 
identified by Anil Kurmus last November.[1]

So: progress.  Unfortunately, they still support SSLv2 and a variety of weak ciphers[2] — so there's still room for 
improvement.

-sq


[1]: http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html
[2]: https://www.ssllabs.com/ssldb/analyze.html?d=twitter.com&s=168.143.162.36
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: Impossible to Maintain Secure Session With Twitter.com Web Interface Sam Quigley (May 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]