June 15th, 2009
Coming in July: Month of Twitter Bugs
A well-known security researcher plans to use the month of July to expose serious vulnerabilities in the Twitter ecosystem.
The Month of Twitter Bugs, a project which launches on July 1, is the handiwork of Aviv Raff (left), a researcher known for his work on Web-based security issues. Raff, who previously warned that the Twitter API is ripe for abuse, says the project will disclose a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws that put Twitter users at risk of malicious hacker attacks.
Each day I will publish a new vulnerability in a 3rd party Twitter service on the twitpwn.com web site. As those vulnerabilities can be exploited to create a Twitter worm, I’m going to give the 3rd party service provider and Twitter at-least 24 hours heads-up before I publish the vulnerability.
Raff is hoping to raise awareness for the Twitter API weakness that exposes the popular service to worm attacks if a single third-party Twitter service (like Twitpic) contains a vulnerability.
The [Month of Twitter Bugs] could have been easily converted to any other “Month of Web 2.0 service bugs”, and I hope that Twitter and other Web 2.0 API providers will work closely with their API consumers to develop more secure products.
Raff was among the first group of researchers to launch of a monthly vulnerability release project, partnering with HD Moore and others on the Month of Browser Bugs. Since then, similar projects have targeted security deficiencies in Apple’s Mac OS, the PHP scripting language and ActiveX control issues.
Also read: Social networking attack targets enterprise data.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
