On Jan 6, 12:20 am, Chris Heilmann <[email protected]> wrote:
> > I find this to be particularly concerning from a privacy point of
> > view.
>
> > You can retrieve enough information about a user to even replicate
> > their home page. This could be particularly damaging from a phishing
> > point of view. Not only can I spoof the Twitter home page, I can now
> > spoof the home page of any user that visits it. Making it that much
> > more realistic.
>
> > This is, however, one of the reasons I run with NoScript (FF
> > extension) when I'm browsing the web.
>
> > While this information _is_ publicly accessible, I want to reiterate
> > that it is troubling how you can figure out which specific Twitter
> > user may be visiting your site.
>
> Can we stop the paranoia please? To replicate any twitter user's
> homepage I need their user name and then I can use either curl
> (f.e.http://icant.co.uk/sandbox/twittercheck.php) or even an IFRAME, there
Chris. Please read my post again. You say "I need their user name",
which indicates I would have to ask for it. The concern is that I
don't even need a user to enter their username to be able to obtain
this information with the way the API currently works.
This is, plain and simple, a privacy leak. I'm not being paranoid, I'm
simply saying that this is one less step somebody needs to make a user
feel like they're on Twitter. If they can't tell the difference from a
valid home page and a fake one, imagine what happens if you present
them with their valid timeline without having to enter any
information.
> is no need for JavaScript whatsoever. In the first case your noscript
> will not make a single difference. Security and privacy does not come
And yes, noscript does make a different because because it will
prevent the page from being able to automatically querying the Twitter
API to determine who I am. It doesn't solve everything (what does),
but it certainly helps prevent cross-site scripting attacks, cross-
site request forgery and clickjacking - it is designed specifically to
help prevent these.
> by obfuscation but by making people aware of dangers. I am writing a
> presentation for Web Directions North about web app security at the
> moment and one of the main points is that people are the easiest
> attack vectors, not technology. If you really think the bad guys need
> an API for doing things like that then be very afraid.
I also present on web application security issues, and yes people are
usually the weak link. They always have been whether you're talking
about phishing scams or simply social engineering your way into a
building. Kevin Mitnick exhibited this years ago and it continues to
be true. Being able to present a user with legitimate data that is
owned by them is quite useful in perpetrating the scam, in my opinion.
>
> There's two needed for phishing: one who creates a fake interface and
> another who enters sensitive information. If you enter sensitive
> information into any form field - even on the legitimate twitter page
> - then you are making a very big mistake.
The way the API currently works alleviates the need for the user to
enter their username to present them with a page that looks like their
home page. I agree that a user is making a big mistake, but we don't
need to make it easier for people to spoof their data.
Does this make sense? I would be happy to share a proof-of-concept off-
list, but I am not comfortable posting it publicly. That only
facilitates malicious behavior.
>
> Don't blame the hammer for sore thumbs.
No blame, simply trying to raise awareness for what is a privacy leak
at the end of the day. Would you like it if you visited a site and it
could determine what your gmail address was?
