Month of Twitter Bugs project to document Twitter flaws

By Robert Westervelt, News Editor 17 Jun 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

One of the security researchers behind the Month of Browser Bugs project is launching a new project documenting API flaws in the social networking platform Twitter.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Aviv Raff, who worked with HD Moore on the "Month of Browser Bugs" project, will start a Month of Twitter Bugs dedicated to highlighting the security deficiencies that put millions of Twitter users at risk. The security researcher turned his focus on Twitter last year, starting the Twitpwn website to highlight Twitter vulnerabilities.

In a blog posting announcing the Month of Twitter Bugs project, Raff said the Month of Browser Bugs provided examples of how "unexploitable" vulnerabilities could be used by an attacker for remote code execution. It exposed 31 browser holes, most affecting Microsoft's Internet Explorer. The Twitter bug project will officially launch in July.

There has been an interest in Web-based vulnerabilities and the increased threat of data leakage associated with the rising use of social networking platforms, including Twitter, Facebook, MySpace and others. Security professionals are under pressure to relax security policies to allow employees to use the platforms for marketing and other business needs, according to some recent surveys.

SearchSecurity radio:

Raff has taken issue with Twitter's API, which allows developers of related programs to tap into Twitter services. By exploiting a vulnerability in a Twitter service or application that uses the API, it could be used as a springboard, allowing the creation of Twitter worms, Raff said. The Month of Twitter Bugs will accept submissions of vulnerabilities discovered in third-party Twitter services.

"I hope that Twitter and other Web 2.0 API providers will work closely with their API consumers to develop more secure products," Raff wrote on his blog.

Raff said his project could have focused on bugs in any Web-based social networking website. APIs used for Facebook, LinkedIn and others are vulnerable to third-party vulnerabilities that tap into their services.

The "Month of' bugs have come under scrutiny from security bloggers in the past who criticized the disclosure projects for being designed for press attention rather than better security. Some security professionals said the projects had become the cyber equivalent of a vigilante, smashing down doors and leaving them open for any attacker to exploit.

Tags: Web Application and Web 2.0 Threats,  Web Application Security,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats New Facebook worm propagates using sexy model Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Web Application Security Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary