Month of Twitter Bugs project to document Twitter flaws

By Robert Westervelt, News Editor 17 Jun 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

One of the security researchers behind the Month of Browser Bugs project is launching a new project documenting API flaws in the social networking platform Twitter.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Aviv Raff, who worked with HD Moore on the "Month of Browser Bugs" project, will start a Month of Twitter Bugs dedicated to highlighting the security deficiencies that put millions of Twitter users at risk. The security researcher turned his focus on Twitter last year, starting the Twitpwn website to highlight Twitter vulnerabilities.

In a blog posting announcing the Month of Twitter Bugs project, Raff said the Month of Browser Bugs provided examples of how "unexploitable" vulnerabilities could be used by an attacker for remote code execution. It exposed 31 browser holes, most affecting Microsoft's Internet Explorer. The Twitter bug project will officially launch in July.

There has been an interest in Web-based vulnerabilities and the increased threat of data leakage associated with the rising use of social networking platforms, including Twitter, Facebook, MySpace and others. Security professionals are under pressure to relax security policies to allow employees to use the platforms for marketing and other business needs, according to some recent surveys.

SearchSecurity radio:

Raff has taken issue with Twitter's API, which allows developers of related programs to tap into Twitter services. By exploiting a vulnerability in a Twitter service or application that uses the API, it could be used as a springboard, allowing the creation of Twitter worms, Raff said. The Month of Twitter Bugs will accept submissions of vulnerabilities discovered in third-party Twitter services.

"I hope that Twitter and other Web 2.0 API providers will work closely with their API consumers to develop more secure products," Raff wrote on his blog.

Raff said his project could have focused on bugs in any Web-based social networking website. APIs used for Facebook, LinkedIn and others are vulnerable to third-party vulnerabilities that tap into their services.

The "Month of' bugs have come under scrutiny from security bloggers in the past who criticized the disclosure projects for being designed for press attention rather than better security. Some security professionals said the projects had become the cyber equivalent of a vigilante, smashing down doors and leaving them open for any attacker to exploit.

Tags: Web Application and Web 2.0 Threats,  Web Application Security,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats Torrent phishing scheme trips up Twitter users Browser exploit kit probe highlights need for patching, vigilance Attackers continue barrage of SEO attacks Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Facebook attacks prompt investments in social networking security PDF attack code complicates security analysis, skirts detection Adobe warns of critical Flash Media Server vulnerability Firefox, Opera, Safari browsers top list of high risk software FBI estimates rogue antivirus losses exceeding $150 million Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary