Attackers got in and found Twitter’s private OAuth login keys, used by the website’s official applications to get preferential treatment from the micro-blogging site.
These credentials could now allow any software to masquerade as an approved Twitter client.
A set of key pairs uploaded to Github apparently see use by Twitter for iPhone, Android, iPad, Mac OS X and Windows Phone, Twitter for Google TV, and TweetDeck. Once authenticated, these programs get access to features unavailable to clients that don’t have Twitter’s approval. But they need to store the keys somewhere on the user’s computer or gadget, and it appears someone has found them.
The keys first posted on GitHub website five months ago, but ended up updated late last week. GitHub said the information is true.
So, what could happen now is unapproved apps could send this information to Twitter to impersonate legitimate clients, circumventing access controls and blocks Twitter imposes on unofficial third-party software, Kaspersky Lab’s Threatpost found.
The micro-blogging site can create new keys and secrets for its apps, roll out updated versions of its software with the new login data, and only accept the new credentials. The problem is that will block access to anyone that has not upgraded.
But before that happens, anyone can, in theory, write any old code that presents itself as an official app to Twitter and thus enjoy all the services available exclusively to the website’s own gear, if the leak is genuine.
Twitter has used OAuth to authenticate approved third-party apps such as TweetDeck and others since August 2010. Facebook also uses the technology.
OAuth offers users the ability to sign into Twitter from software clients without having to dig up usernames and passwords.
But the technology is not without its problems. For example, when Twitter detected a breach last month, and advised 250,000 early adopters of the micro-blogging service to change their passwords, the use of OAuth meant it was still possible for authenticated Twitter clients to post tweets without prompting a user for their new password. In effect, Twitter for iPhone, Android, TweetDeck and the rest effectively stayed signed-in.