Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Aviv Raff -- who participated in a similar project in 2006 called the "Month of Browser Bugs" -- announced on his blog that his "Month of Twitter Bugs" will not reveal vulnerabilities specific to Twitter. Instead, he will publish bugs in popularly used third-party Twitter services, such as Twitpic or TweetDeck.
Raff said on his blog that he plans to provide the service providers with 24 hours of notice prior to publishing each bug. He plans to list the vulnerabilities on www.twitpwn.com.Raff said he hopes the undertaking calls attention to the insecurity of many sites that use the Twitter application programming interface (API)."In short, one small vulnerability in a third-party Twitter service has the potential to create a Twitter worm," Raff told SCMagazineUS.com. "For example, it could be used by an attacker to distribute malware. Won't you click on a link your friend has just Twitted?" He said that even if Twitter was clean of all vulnerabilities, such as cross-site scripting (XSS) or cross-site request forgery, the site still could be abused by a coding flaw in a site using the Twitter API.Last month, he offered an example when he published a proof-of-concept for a vulnerability on Twitpic.com, which enables users to share photos on Twitter."While Twitter.com sanitizes and encodes HTML tags in Twitter profile information, Twitpic failed to do so and by that, allowed injecting scripts to the Twitpic user profile page," Raff explained in a blog post. "This is a very simple, persistent XSS, which can be easily abused to hijack Twitpic.com user accounts. However, because Twitpic.com also uses the Twitter API to automatically send 'twits' on behalf of the user, whenever the user uploads a picture or comments on another user's picture, it can also be easily used to create a Twitter worm."Raff told SCMagazineUS.com that Twitter -- and other sites such as Facebook and LinkedIn -- must improve their outreach to the websites and applications that use its API."There is no bullet-proof solution here," he said. "All I hope is for Twitter, and other Web 2.0 API providers, to work closely with the developers who use their API in order to make sure they develop code as secure as possible. It's mainly the third-party developers' fault, but I think Twitter should educate them about secure coding."Security experts said Twitter finds itself in a difficult position because these third-party services help it grow faster. But a problem at one of these sites reflects poorly on the Twitter brand."Any of these third-party applications do need to take security seriously and incorporate security testing into their development life cycle, just like any enterprise or independent software developer would do," said Chris Eng, senior director of research at Veracode, an application security company.Eng's colleague, Mike Puglia, director of product marketing, said Twitter can be more proactive by requiring that its API partners prove some level of security assurance.See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.