XSS Attack on Twitter Subdomain Allowed for Complete Session Hijacking

A Google security researcher has found a security hole on a Twitter subdomain which facilitated session hijacking attacks. The compromise was possible because of a too broad domain scope used for the session cookie.

The flaw was discovered and documented on his blog by Google Security Engineer Billy Rios. Rios previously worked as a Security Program Manager for Internet Explorer at Microsoft and as Senior Security Consultant at VeriSign.

The security issue was found on the apiwiki.twitter.com, hosting a Wiki website with resources for developers working with the Twitter API. “Fortunately for the attacker (or unfortunately for Twitter) the session cookie that represents authentication is scoped to the parent Twitter domain (.twitter.com). With such a widely scoped cookie, a XSS bug on any of the twitter subdomains means I can steal the twitter session cookie for www.twitter.com (which is where all the action takes place),” the security researcher explains.

The problem with this is that sub websites, particularly those holding non-sensitive and public information like apiwiki.twitter.com or support.twitter.com, just to give two examples, are not as heavily scrutinized as the main twitter.com website for security holes like cross-site scripting (XSS) bugs. As such, it didn't took long for the security researcher to find an vulnerable parameter in a script on the Twitter API wiki.

XSS vulnerabilities result from a failure to properly sanitize values passed to parameters and allows attackers to craft URLs that will execute unauthorized code inside the user's browser. In this case, the researcher had to get creative, because the attack wouldn't execute if there were periods in the payload.

When he finally got it working, his specially crafted URL was able to hijack the Twitter session cookies from victims and send them to a server under his control. There are various methods of getting users to load such malicious link in their browsers, the most straight-forward ones involving simple social engineering.

Before making any details public Rios contacted Twitter Security, which quickly addressed the vulnerability. However, this Proof-of-Concept attack serves as a reminder of one security issue commonly overlooked by webmasters – broad cookie domain scope.

You can follow the editor on Twitter @lconstantin