News Stay informed about the latest enterprise technology news and product updates.

Twitter vulnerability project highlights flaws

Link shortening service had several cross-site scripting flaws that could be used to view a user's browsing history, tamper with settings and abuse Twitter accounts.

A security researcher highlighting vulnerabilities in third-party Twitter applications this month focused on several serious cross-site scripting (XSS) flaws in the popular link-shortening service.

To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Aviv Raff launched the Month of Twitter Bugs today, showcasing the errors. Raff gave notice to programmers and in less than three hours the final flaw was patched. is one of the more popular URL-shortening services. Users who set up an account with the service can track their shortened links. The service is integrated with Firefox as well as several third-party Twitter organizer applications. In addition to, nearly a dozen other link-shortening services are available.

Raff highlighted XSS errors in the URL and keywords parameter and similar vulnerabilities in the username field of the login page and the content-type field of the URL info page. The flaws were discovered by security researchers Mike Bailey and Mario Heiderich. It took developers about a month to correct the errors, with the latest one patched today. 

Social networking:

Twitter risks, Facebook threats trouble security pros: OPINION - Security can't slow down the Twitter phenomenon, but it can take steps to prevent data leakage.

Cligs URL shortening flaw highlights social networking ills:
Could flaws in social networks send the Internet spiraling out of control?

"With such a poor response rate to security vulnerabilities and with such a poorly coded website, in terms of security, we can only hope for the best," Raff wrote in his blog. "Please be careful clicking those shortened URLs." XSS errors enable an attacker to insert malicious coding into a link that appears to be from a trustworthy source. When someone clicks on the link, the embedded programming is submitted as part of the client's Web request and can execute on the user's computer, typically allowing the attacker to steal information. When Web forms contain XSS errors, attackers alter the HTML that controls the behavior of the form.

Link shortening services have come under increased scrutiny in recent months. A security breach in URL shortener Cligs ( last month redirected 2.2 million URLs to a single Web page. The Web page was not malicious, but it highlighted the threat posed by flaws in the link shortening services. 

Raff announced in June that he planned to document Twitter related flaws. The security researcher documented browser flaws in a similar format in 2006. The latest project is being showcased on Raff's Twitpwn website.

The bug tracking project is getting a lot of attention from security professionals who are dealing with an increased use of Twitter, Facebook and other Web-based social networking services.

Raff has been critical of Twitter and third-party services that rely on Twitter's API to connect to the Twitter platform. He said in a recent blog post that the API could be used as a springboard by attackers to create Twitter worms and spread malware to steal sensitive data from users.

The Month of Twitter Bugs is accepting submissions of vulnerabilities discovered by third-party Twitter services.

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.