Thursday, July 2, 2009

Month Of Twitter Bugs Goes Live With Mini-URL Flaws

Researcher launches Day One of daily third-party Twitter app vulnerability disclosures, while some members of Twitter christen July 1 "TwitterSec Day"

The Month of Bugs phenomenon is back, with a new project aimed at exposing vulnerabilities in third-party Twitter applications.

Day One of The Month of Twitter Bugs project revealed four new cross-site scripting (XSS) vulnerabilities in the popular URL-shortening tool used by many Twitter users to shorten links to fit into the 140-character Tweet limit. is also integrated into the popular TweetDeck Twitter interface. The controversial month-of-bugs concept -- where researchers disclose new vulnerabilities daily for a month -- was started three years ago by HD Moore, who brought attention to browser security issues with his Month of Browser Bugs project.

"I hope to raise the awareness of developers using the Twitter API to develop more secure code, as they should understand that that by developing insecure code, they are not only exposing their own users to threats, but the entire Twitter community," says Aviv Raff, the researcher behind the project.

Three of the four XSS bugs had already been patched by the time Raff posted them this morning, and the third -- a nasty persistent XSS bug -- was patched by a few hours later. The bug, for which Raff posted proof-of-concept code, could be used by an attacker to Tweet from a victim's account, as well as to spread via a Twitter worm, Raff says.

See More

No comments: