Thursday, April 22, 2010

Twitter @Anywhere and eavesdropping threat in IE6/7

Twitter @Anywhere is a kind of "Facebook Connect for Twitter", which allows 3rd party web site to access twitter API using OAuth (maybe early implementation of OAuth WRAP/2.0 ?), but without server-side code, only using JavaScript.

The @Anywhere service seems using iframe-based cross-domain technique to communicate to API server from the web site with different domain. Recent browsers like Firefox 3+/Chrome 4/Safari 4/Internet Explorer 8 has the feature of HTML5 cross document messaging, so it is not so much difficult. For older browser, I mean Internet Explorer 6/7, they are using window.name transport. The detail of window.name cross-domain frame communication technique is in this article.


I found the eavesdropping concern in @Anywhere's cross-domain communication when used with Internet Explorer 6/7. As I mentioned above, they use window.name technique when users are using those browsers, not HTML5 standard. The window.name hack is useful but insecure because which can be read from any domain contents which are included in the page by iframe. Of course window.name property is protected against reading from the script in different domain (interestingly setting value from different domain is allowed in Internet Explorer), but changing its frame location is always allowed so attacker in the other frame can change its frame location to the attacker's domain and then read the name property to eavesdrop the conversation. Especially Twitter @Anywhere's case OAuth token is included inside the conversation message, so attackers can access any twitter API by using the token.


This is especially affected if the service can contain arbitrary URL content inside iframe. I can imagine a URL intermediation service with iframed content (like ow.ly) might think to adopt @Anywhere to share the URL directly to twitter, but this should be avoided currently.