Article

Month of Twitter Bugs project to document Twitter flaws

Robert Westervelt, News Director

One of the security researchers behind the Month of Browser Bugs project is launching a new project documenting API flaws in the social networking platform Twitter. 

SearchSecurity.com:

To get security news and tips delivered to your inbox, 

    Requires Free Membership to View

click here to sign up for our free newsletter.

Aviv Raff, who worked with HD Moore on the "Month of Browser Bugs" project, will start a Month of Twitter Bugs dedicated to highlighting the security deficiencies that put millions of Twitter users at risk. The security researcher turned his focus on Twitter last year, starting the Twitpwn website to highlight Twitter vulnerabilities.

In a blog posting announcing the Month of Twitter Bugs project, Raff said the Month of Browser Bugs provided examples of how "unexploitable" vulnerabilities could be used by an attacker for remote code execution. It exposed 31 browser holes, most affecting Microsoft's Internet Explorer. The Twitter bug project will officially launch in July.

There has been an interest in Web-based vulnerabilities and the increased threat of data leakage associated with the rising use of social networking platforms, including Twitter, Facebook, MySpace and others. Security professionals are under pressure to relax security policies to allow employees to use the platforms for marketing and other business needs, according to some recent surveys. 

Raff has taken issue with Twitter's API, which allows developers of related programs to tap into Twitter services. By exploiting a vulnerability in a Twitter service or application that uses the API, it could be used as a springboard, allowing the creation of Twitter worms, Raff said. The Month of Twitter Bugs will accept submissions of vulnerabilities discovered in third-party Twitter services.

"I hope that Twitter and other Web 2.0 API providers will work closely with their API consumers to develop more secure products," Raff wrote on his blog.

Raff said his project could have focused on bugs in any Web-based social networking website. APIs used for Facebook, LinkedIn and others are vulnerable to third-party vulnerabilities that tap into their services.

The "Month of' bugs have come under scrutiny from security bloggers in the past who criticized the disclosure projects for being designed for press attention rather than better security. Some security professionals said the projects had become the cyber equivalent of a vigilante, smashing down doors and leaving them open for any attacker to exploit.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: