Aug
19
Twitter Login Not Secured – WTF?
Filed Under Computers & Tech, Security on August 19, 2009 at 9:17 pm
I don’t normally log in to Twitter directly – I almost always use clients – but today I did, and I noticed something which shocked me – Twitter is sending login details over an unsecured HTTP connection! I have no idea if Twitter’s always done this, or if they are experiencing some kind of bug today, but either way, this is a serious issue.
Were I to be using public WiFi or any other un-trusted network it would be trivial for someone to get both my username and password and take over my Twitter account. Worse still – if I were to use the same credentials elsewhere like so many people do – all those other accounts could be taken over too. This is just not acceptable in 2009.
I just refused to believe Twitter could do something so horribly irresponsible – so before publishing this post I double-checked. I started at the Twitter home page and clicked “login”. This took me to a login page at http://twitter.com/login – clearly an unsecured page. Although having the login page itself unsecured has issues, it would still be possible for the form to submit the details you enter into this unsecured page to Twitter over a secured connection – so I had a quick look at the source to see where the form does submits to. Below is the relevant form definition:
<form action="/sessions" class="signin" method="post">
This is a relative URL – so it submits to http://twitter.com/sessions – i.e. an unsecured URL.
Just to be ABSOLUTELY sure of what I’m saying, I did a simple test, I sniffed my own network traffic searching for all traffic to or from port 443 – the port for secure web connections. The command I used was:
sudo tcpdump -i en0 port 443
Before testing Twitter’s login page I tested my filter by securely logging in to GMail – this generated hundreds of packets to or from port 443 – as it should. Having verified my filter I ran it again while going through the Twitter login process (using incorrect login details obviously). My browser dutifully sent the username and password to Twitter, Twitter dutifully accepted those details (but didn’t log me in since the details were made up) – all as expected. Unfortunately – there was not a single packet detected heading to or from port 443. In other words – the login details were not sent over a secured connection!
The lack of encryption is an obvious problem – but there are two another less obvious but equally important problems too. HTTPS is not just for encrypting communications – it also serves to guarantee the integrity of the communication as well as to authenticate the end-point. When I visit a website over a secure connection that secure connection provides me with three things:
- Encryption – ensuring that what gets sent cannot be read by anyone intercepting the communication
- Authentication – an SSL cert used for HTTPS is bound to a domain name – if the cert checks out I can be confident that I really am communicating with the web server that I think I’m communicating with
- Integrity – ensuring that the data sent cannot be changed en-route. I.e. that I know that what I receive is really what the server sent, and that the server will really receive what I send.
The second point here is a really important one. We live in an age where phishing is rife. There are many ways to trick your computer into thinking that www.twitter.com has a different IP address than it really does – in other words – your URL bar could read www.twitter.com – but you may be on a bad guy’s server. With a secured connection your browser should cry foul and show a certificate error – hence alerting you to the fact that you were about to give your username and password to some attacker impersonating Twitter.
For all these reasons – secured connections are very important for my safety and the safety of all my fellow twitterers. Unsecured logins should be impossible! All attempts to log in over an unsecured connection should result in an automatic redirect to a secure login page which submits the login details over HTTPS.
There is a small silver lining though – you can FORCE Twitter to log you in securely by going directly to the URL https://twitter.com/login rather than clicking on the login button on Twitter’s home page. If you use Twitter’s Web Interface – BOOKMARK THIS NOW – and ALWAYS log in using this URL!
I’m not on Twitter, but your post alarmed me and I went and checked out my Facebook login. Same thing. Http, not https. They also have a secure login page, but it immediately changes to the insecure URL. If there’s a different way to do this, please let me know.
Hi Robin,
I had a look on the FaceBook page and although the page itself does not use HTTPS, it does at least submit your data over a secure connection – the form submits to the URL: https://login.facebook.com/login.php which is secure. It would still be nice of the login page itself was secured so you could have confidence that you really are at FaceBook’s page though.
Thanks for the tip. I’m shocked that I never noticed this before. The “Finger of Shame” should be wagged at me.
In the somewhat related category. gMail has as setting you can turn on to make sure that when you using mail.google.com it’s secure. gMail always uses https to authenticate, but once your logged in you date will be sent in the clear unless you go into Settings -> General Tab and then at the bottom you can select “Always use https.”
[…] Details athttp://www.bartbusschots.ie/blog/?p=1416 […]
I don’t know if you’re familiar with Greasemonkey, but there is a script I use that forces a list of known sites (that you can modify) to use https by default.
http://userscripts.org/scripts/show/29090
LOL, I guess I am in the minority!
I never expected Twitter or Facebook to have secure logins. I am always careful not to log in while on an open wifi network, unless I am using a VPN.
But it’s nice to know there are secure options for twitter and facebook.
Thanks Bart
[…] Twitter Login Not Secured WTF? (BartBusschots.ie) […]
gosh new to all this but have attended Failte Ireland workshops and they recommend being on Twitter
Since Twitter went HTTPS some time ago, and since this post is proving to be a SPAM magnet I’m closing the comments now.