Day One of The Month of Twitter Bugs project revealed four new cross-site scripting (XSS) vulnerabilities in the popular bit.ly URL-shortening tool used by many Twitter users to shorten links to fit into the 140-character Tweet limit. Bit.ly is also integrated into the popular TweetDeck Twitter interface. The controversial month-of-bugs concept -- where researchers disclose new vulnerabilities daily for a month -- was started three years ago by HD Moore, who brought attention to browser security issues with his Month of Browser Bugs project.
"I hope to raise the awareness of developers using the Twitter API to develop more secure code, as they should understand that that by developing insecure code, they are not only exposing their own users to threats, but the entire Twitter community," says Aviv Raff, the researcher behind the project.
Three of the four XSS bugs had already been patched by the time Raff posted them this morning, and the third -- a nasty persistent XSS bug -- was patched by bit.ly a few hours later. The bug, for which Raff posted proof-of-concept code, could be used by an attacker to Tweet from a victim's account, as well as to spread via a Twitter worm, Raff says.
Meanwhile, other security experts are deeming today TwitterSec Day, urging Twitter users to focus on better securing their accounts in anticipation of new attacks that could come out of the Month of Twitter Bugs disclosures. The so-called #twittersec initiative called for Twitter users to change their Twitter passwords today. "How many times have you given your twitter password to a third party site? Did you change your password after you did that? Well, if not here is a good time to do so," the Edge.I-Hacked site blogged today. "Yes, it is true that changing your password doesn't invalidate all of the 'MoTB,' however; it could help stop a few. And really, it is probably time that you do it anyways, don't you think?" The main goal, they say, is to pressure Twitter app developers to fix their bugs.
Raff says changing their Twitter passwords won't protect users from attacks from these vulnerabilities, however. "Twitter users should log into Twitter through third-party services only when they really need to use it. On any other case, they should use the 'log out' option," he says.
And the Month of Twitter Bugs doesn't make Twitter any more safe, he says. "Attackers don't need Month of Twitter Bugs to attack third-party apps. They have already done this in the past. Just few days ago, someone used a vulnerability in TwitPic to Tweet on behalf of Britney Spears a fake announcement of her death," he says.
Raff is giving Twitter and the third-party provider a 24-hour or more jump on the bugs before he goes live with them. He said in his blog that he has plenty of vulnerabilities for July, but is still accepting submissions.
Twitter should work closely with its third-party application developers on securing their tools, Raff says. He says the microblogging firm is starting to do just that, with its Security Best Practices.
Meanwhile, since most of the Twitter API-based apps are Web apps, Raff says the rest of the bug disclosures in July are likely to feature "a variety of Web application vulnerabilities."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.