First off, there's a potential security issue with the ability to have
user-defined callbacks around our JSON responses (sometimes referred
to as "JSONP"). An attacker could construct a page with a malicious
callback that calls Twitter API methods that return potentially
private data and store that data on his server. A user would have to
have created a Basic Auth session to the Twitter API in her browser,
which is fairly unlikely, but this is still concerning. My proposal
is to disable user-specified callbacks for all methods that could
return private data. I'd like to push that change by the end of the
week, but I need to know if that's enough time for all of you to push
new releases.
Secondly, there's another security issue in older versions of Firefox
that allows attackers to redefine the Array prototype to malicious
ends. The standard workaround for this is to return all responses as
hashes with a fixed root element, ex:
{"statuses": [...] }
This would be a more far-reaching change, as it breaks any and all
applications that consume JSON from the Twitter API. It's also a much
lower-priority security issue. What do you all think is a reasonable
time frame for making this change?
Thanks much for your feedback. Please, if you have friends working
with the Twitter API who use JSON, ask them to weigh in on this. I'd
like to plan a smooth, painless transition for these issues.
--
Alex Payne - API Lead, Twitter, Inc.
http://twitter.com/al3x
I'd like at least 90 days myself. I don't really need that length of time
for my little app but given the handwringing over friends_timeline, it's
going to need to be at least that long for all the people who will come
out of the woodwork.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- LOAD"STANDARD DISCLAIMER",8,1 ----------------------------------------------
I'd like at least 90 days myself. I don't really need that length of time
for my little app but given the handwringing over friends_timeline, it's
going to need to be at least that long for all the people who will come
out of the woodwork.
With all due respect, security holes do need to be closed and dealt with in
a timely fashion, but this is a security hole in a now deprecated version
of JavaScript and a hole that by fixing it will render large portions of the
user community off-line immediately. People here have short memories:
remember all the screaming that occurred for weeks when friends_timeline got
modified? Most of that screaming came from people who did NOT have any way
of changing their twitter badges and the like, and claimed to have no idea
that the change was going forward.
I suggested ninety days with frequent list reminders (YOUR APP WILL NOT WORK
IF IT USES JSON) because it took nearly that long for the static to die down
and some very common uses such as blog plugins may be slower to update. A
post to dev.twitter.com (YOUR APP WILL NOT WORK IF IT USES JSON) should catch
the rest of the people who don't watch the list. Maybe a shorter period would
also work but I think a week is way too short.
> Lets paint a scenario (granted i dont know the depth of the security risk),
> but by "private data" i assumed you meant someone's account pedigree info.
> What if someone was able to manipulate the hole you mention to return
> password hashes and email login?
As far as I can tell, Alex is referring to this:
http://directwebremoting.org/blog/joe/2007/03/05/json_is_not_as_safe_as_people_think_it_is.html
This is clearly bad but not catastrophic. It lets you get to potentially
protected data, which is clearly bad, but
> into their email, and the person was able to access someone's bank account
> (yes bank websites have all kinds of new security features, but if the
> person hasn't logged in in a while they couldn't have changed over to the
> newer more secure method of using that bank website). Attacker ends up being
> caught and we find out he got the information to go on this little adventure
> through a security hole in twitter. The LAST thing any of us want is a
> lawsuit against twitter.
anyone who is posting bank information as tweets, even protected ones, is
also clearly stupid. Most people understand that the anonymity that the
padlock provides is not designed to be airtight.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- Furious activity is no substitute for understanding. -- H. H. Williams -----
--
Also, is there any example JSON data available? Do you have a list of
APIs which will be changed?
Thanks,
Kazuho