Tuesday, February 24, 2009

Security Hole Found, Fixed, and Deployed

Just before 10 am PST, today, a security hole was discovered, by chance, in Adjix2Twitter by Sam Nguyen which allowed him to post this tweet to Guy Kawasaki's Twitter timeline. I'd never heard of Sam or his company before today - he is the CTO at InsideWork which "infuses business innovation with biblical insight".

Since Twitter is about as real-time as it gets, the following happened within an hour of the problem being discovered by Sam:

1. I saw the tweet as soon as it was sent and I immediately reviewed the logs to discover that Guy hadn't posted it from his own Adjix account.

2. NEENZ, who is Alltop's Chief Evangelist, DM'd me about the tweet and called Guy.

3. A number of Guy's followers @'d him regarding the tweet - and many also RT'd it, seemingly "in the blind".

4. Twenty minutes after Sam discovered the problem he sent an e-mail to me outlining what he had done and I called him to get the details.

5. Guy, who was in a meeting when this happened, called me after the meeting to find out what was going on and what he needed to do.

6. Guy disavowed the tweet and proclaimed his love for Adjix.

Security Hole Details
While no one likes bugs, the one that Sam found was reproducible which makes it easier to fix.

To reproduce the problem, someone only needed to attempt to "reshrink" an Adjix link using Adjix2Twitter. Adjix2Twitter prevents an Adjix link from being "reshrunk" again and simply returns the original link. The problem was that the Twitter credentials associated with the original link were being used to post to Twitter. No Twitter user info and no Adjix user info was compromised or exposed. Exploiting this security hole only made it possible to post to someone else's Twitter account and it happened exactly once.

To fix this problem, our servers now ensure that the Linker's credentials of the user who clicked on the Adjix2Twitter bookmarklet are used and not the credentials associated with the link.

The Adjix2Twitter fix went live at 12:15 pm, about two hours after Sam first discovered the problem. All is well.