bor.borygmus

A programming weblog by Hao Lian. • A long walk through an angry forest. • A series of memory leaks brought on by senility.

A tutorial through Twitter and OAuth with signed callback URLs.

Let’s say, one day, you become insane and want to authorize your application to access a user’s data on Twitter. WITH OAUTH!

Twist!

A brief recap: OAuth authenticates an application. It ensures that a sequence of HTTP requests belong to exactly one person, which is hugely important if you’re providing a service API like Twitter is. Here we’ll present the OAuth with signed callback URLs, which is how Twitter provides OAuth for desktop applications—applications that might not have web browsers but nevertheless need to get the Special OAuth Pat on the Back and let the user allow it to access his data. And to do so, you do this:

You’ll grab a request token. With it, you’ll ask the user to log into Twitter and get a special PIN. This PIN is pasted into your application. You then trade your request token for an access token, with which you can perform unspeakable evil.

A first attempt at precisely this:

Jump.
[(January 21, 2010) .]

Hack this module.

There’s an open call by Tav, looking for people to break the security boundaries on safelite.FileReader—a file reader—and write a file. As pointed out by seul on reddit, this is basically a window into how really smart Python programmers think.

[(February 24, 2009) .]

A quick look at the MetaFilter exploit.

Background: Several pages on MetaFilter last night had a script tag pointing to an h.js file on tejary.net. I was going to post this as a comment, but the website was taken down.

Hopefully this helps someone:

h.js is a file that writes an iframe when executed, an iframe pointing to kodim.net’s faq.htm.

faq.htm is one-line script tag for a JavaScript file from count49.51yes.com. (Here’s a cleaned up version on Pastie.) The count49 JS file creates an anchor tag and an iframe as you can see from this pastie. The anchor tag (containing the little graph icon) seems fairly banal, and the iframe points to a website in Chinese that’s throwing an ASP error.

The count49 JS file also looks for two cookies: cck_lasttime and cck_count, which don’t seem specific to MetaFilter. If they don’t exist, the JS creates them. If they do exist, it increments cck_count and updates cck_lasttime.

I would cautiously say that there’s no attempt to steal user data here, with the massive grain of salt in that I’ve only spent five minutes looking at this for the fun of it. However, the fact they did manage to get into MetaFilter is worrying.

Update Information from MetaFilter admins.

[(January 24, 2009) .]