Month Of Twitter Bugs Goes Live With Mini-URL Flaws

Researcher launches Day One of daily third-party Twitter app vulnerability disclosures, while some members of Twitter christen July 1 "TwitterSec Day"

The Month of Bugs phenomenon is back, with a new project aimed at exposing vulnerabilities in third-party Twitter applications.

Day One of The Month of Twitter Bugs project revealed four new cross-site scripting (XSS) vulnerabilities in the popular URL-shortening tool used by many Twitter users to shorten links to fit into the 140-character Tweet limit. is also integrated into the popular TweetDeck Twitter interface. The controversial month-of-bugs concept -- where researchers disclose new vulnerabilities daily for a month -- was started three years ago by HD Moore, who brought attention to browser security issues with his Month of Browser Bugs project.

"I hope to raise the awareness of developers using the Twitter API to develop more secure code, as they should understand that that by developing insecure code, they are not only exposing their own users to threats, but the entire Twitter community," says Aviv Raff, the researcher behind the project.

Three of the four XSS bugs had already been patched by the time Raff posted them this morning, and the third -- a nasty persistent XSS bug -- was patched by a few hours later. The bug, for which Raff posted proof-of-concept code, could be used by an attacker to Tweet from a victim's account, as well as to spread via a Twitter worm, Raff says.

Meanwhile, other security experts are deeming today TwitterSec Day, urging Twitter users to focus on better securing their accounts in anticipation of new attacks that could come out of the Month of Twitter Bugs disclosures. The so-called #twittersec initiative called for Twitter users to change their Twitter passwords today. "How many times have you given your twitter password to a third party site? Did you change your password after you did that? Well, if not here is a good time to do so," the Edge.I-Hacked site blogged today. "Yes, it is true that changing your password doesn't invalidate all of the 'MoTB,' however; it could help stop a few. And really, it is probably time that you do it anyways, don't you think?" The main goal, they say, is to pressure Twitter app developers to fix their bugs.

Raff says changing their Twitter passwords won't protect users from attacks from these vulnerabilities, however. "Twitter users should log into Twitter through third-party services only when they really need to use it. On any other case, they should use the 'log out' option," he says.

And the Month of Twitter Bugs doesn't make Twitter any more safe, he says. "Attackers don't need Month of Twitter Bugs to attack third-party apps. They have already done this in the past. Just few days ago, someone used a vulnerability in TwitPic to Tweet on behalf of Britney Spears a fake announcement of her death," he says.

Raff is giving Twitter and the third-party provider a 24-hour or more jump on the bugs before he goes live with them. He said in his blog that he has plenty of vulnerabilities for July, but is still accepting submissions.

Twitter should work closely with its third-party application developers on securing their tools, Raff says. He says the microblogging firm is starting to do just that, with its Security Best Practices.

Meanwhile, since most of the Twitter API-based apps are Web apps, Raff says the rest of the bug disclosures in July are likely to feature "a variety of Web application vulnerabilities."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights