I had a quick look at the Twitter blog to see of there was any warnings of something new with the API.  Nothing jumped out at me but I did notice that something was changing from 32 bits to 64 bits.  I did not pay it much mind.  As I was debugging I finally decided to get the keys from the twitter site and manually start making some calls. The site started working again.  What the heck?  I checked my SQL statements and I was getting data from the database.  Then I looked at the last 4 digits just to see of perhaps my tokens got corrupted or something.  They do not match!  For the first 4 digits DO match!  Then it stuck me.  I quickly logged into the database and yup, just as I thought.  I had my fields set to textvar fields set to 40 charters.  Default.  Arrggg.. All this work and it was just the keys getting larger.

I changed to token fields to 64 each and everything started working again.  Well mostly again because I introduced new errors and founds some weakness in the codes that I never noticed before.  That was one afternoon shot to hell.

So if you suddenly find your twitter app is not working anymore, check you database schema, could be a quick fix and save you a few hours.

In Nir Goldshlager‘ post, he outlines, almost step by step, how you can perform the same ‘hack’.  Facebook claims to have fixed this, but Nir says there are others and he will post them soon.

I decided to share one of my favorite flaws i discovered in  facebook.com,

This flaw allowed me to take a full control over any Facebook account,By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account,

   

just to clarify there is no need for any installed apps on the victim’s account, Even if the victim never allowed any application in his  Facebook account, I could still be getting full permissions (This bug works on any browser)

To make this exploit work, The victim only need to visit a webpage,
So OAuth is used by Facebook to communicate between Applications and Facebook users, Usally users must allow/accept the application request to access their account before the communication can start.

Any Facebook application might ask for different permissions,

For example: 

Diamond Dash,Texas Holdem Poker only have permission to basic information and post on user’s wall,

I found a way in to get a full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos,etc..) over the victim account even without any installed apps on the victim’s account,

Another advantage in the flaw I found is that there is no “Expired date” of the Token like there would be on any other application usage, In my attack the token never expires unless the victim change his password :),

Anyone who pays any attention to their twitter app has already updated including those doing mobile, which mean xAUTH for you guys.  So Monday will be really interesting to see what stops working.  Most likely if you have a major twitter app that depends on other API’s that call twitter, its THOSE that will catch people by surprise.  But I’m sure there will be one or two that will fail.

I really hope twittFilter.com is not one of them.      Happy coding this weekend people!

Well, seem with all the issues Twitter has been  having lately they have pushed this back a month, perhaps 2.  But dont get lacks, its going to happen, so you may as well get on it now.

The end time are nigh.  Yes, for all of us first gen Twitter App dev’s our old code is about to die on us.  The old way of sending authentication using a users name and password will officially lose support july 1. That means you had better get OAuth (or XAuth) up and running before hand. I have a feeling a lot of mashups might find a few broken pieces on July1 and whole sites that are not really supported anymore could die altogether.

Now replacing your old twitter class with one that supports OAuth is not all that bad.  In fact, if you waited like I have, you will find its easier then when OAuth rolled out.  In my case, I had an old library from Nick Beam (2007) that I have been updating, and decided to switch to a library from Abraham -> http://github.com/abraham/twitteroauth that seems pretty straightforward to implement and use.  Now, the issue I had to deal with was, how do I replace my existing library (which was build around username password) with this new library?  My first thought was to simply update my old twitter.class file with the new class file from abraham.  That turned out to be pretty messy.  So the next best step?  Simply move my existing function calls from the old class to the new one.  For example, this was from the 2007 class.  All I had to do to work with Abrahams library, was change the last line..

function getMentions_test($format, $page = 0, $since_id=0) {
$api_call = sprintf(“statuses/mentions.%s”, $format);
if ($page) {
$api_call .= sprintf(“?page=%d”, $page);
}
if ($since_id) {
$api_call .= sprintf(“?since_id=%d”, $since_id);
}
//echo ‘api ‘.$api_call.'<br>’;

//return $this->APICall($api_call, true);
return $this->get($api_call);
}

All I changed was the return $this->APICall() to return $this->get()

Tada! Update pretty much done.  Now there were some other things I had to change here and there, but that was about it.  Of course, if you wrote your code NOT having your API calls to twitter as a separate class, well then perhaps this is a good time to revise you code eh?  And I would get on it because again, you only have 2 weeks left.

Here is the direct work from Twitter….

The majority of Tweets are sent or read on applications built by the developer community. … Many developers have already switched their applications over to use OAuth, and we’re here to help for those who haven’t. If you are a developer and still need to make this necessary change, you can read more about the OAuth transition and the resources available to you on the Twitter developers website.