One of the security researchers behind the Month of Browser Bugs project is launching a new project documenting API flaws in the social networking platform Twitter.
To get security news and tips delivered to your inbox,
Aviv Raff, who worked with HD Moore on the "Month of Browser Bugs" project, will start a Month of Twitter Bugs dedicated to highlighting the security deficiencies that put millions of Twitter users at risk. The security researcher turned his focus on Twitter last year, starting the Twitpwn website to highlight Twitter vulnerabilities.
In a blog posting announcing the Month of Twitter Bugs project, Raff said the Month of Browser Bugs provided examples of how "unexploitable" vulnerabilities could be used by an attacker for remote code execution. It exposed 31 browser holes, most affecting Microsoft's Internet Explorer. The Twitter bug project will officially launch in July.
There has been an interest in Web-based vulnerabilities and the increased threat of data leakage associated with the rising use of social networking platforms, including Twitter, Facebook, MySpace and others. Security professionals are under pressure to relax security policies to allow employees to use the platforms for marketing and other business needs, according to some recent surveys.
Raff has taken issue with Twitter's API, which allows developers of related programs to tap into Twitter services. By exploiting a vulnerability in a Twitter service or application that uses the API, it could be used as a springboard, allowing the creation of Twitter worms, Raff said. The Month of Twitter Bugs will accept submissions of vulnerabilities discovered in third-party Twitter services.
"I hope that Twitter and other Web 2.0 API providers will work closely with their API consumers to develop more secure products," Raff wrote on his blog.
Raff said his project could have focused on bugs in any Web-based social networking website. APIs used for Facebook, LinkedIn and others are vulnerable to third-party vulnerabilities that tap into their services.
The "Month of' bugs have come under scrutiny from security bloggers in the past who criticized the disclosure projects for being designed for press attention rather than better security. Some security professionals said the projects had become the cyber equivalent of a vigilante, smashing down doors and leaving them open for any attacker to exploit.