Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/1/2009
04:18 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Month Of Twitter Bugs Goes Live With Mini-URL Flaws

Researcher launches Day One of daily third-party Twitter app vulnerability disclosures, while some members of Twitter christen July 1 "TwitterSec Day"

The Month of Bugs phenomenon is back, with a new project aimed at exposing vulnerabilities in third-party Twitter applications.

Day One of The Month of Twitter Bugs project revealed four new cross-site scripting (XSS) vulnerabilities in the popular bit.ly URL-shortening tool used by many Twitter users to shorten links to fit into the 140-character Tweet limit. Bit.ly is also integrated into the popular TweetDeck Twitter interface. The controversial month-of-bugs concept -- where researchers disclose new vulnerabilities daily for a month -- was started three years ago by HD Moore, who brought attention to browser security issues with his Month of Browser Bugs project.

"I hope to raise the awareness of developers using the Twitter API to develop more secure code, as they should understand that that by developing insecure code, they are not only exposing their own users to threats, but the entire Twitter community," says Aviv Raff, the researcher behind the project.

Three of the four XSS bugs had already been patched by the time Raff posted them this morning, and the third -- a nasty persistent XSS bug -- was patched by bit.ly a few hours later. The bug, for which Raff posted proof-of-concept code, could be used by an attacker to Tweet from a victim's account, as well as to spread via a Twitter worm, Raff says.

Meanwhile, other security experts are deeming today TwitterSec Day, urging Twitter users to focus on better securing their accounts in anticipation of new attacks that could come out of the Month of Twitter Bugs disclosures. The so-called #twittersec initiative called for Twitter users to change their Twitter passwords today. "How many times have you given your twitter password to a third party site? Did you change your password after you did that? Well, if not here is a good time to do so," the Edge.I-Hacked site blogged today. "Yes, it is true that changing your password doesn't invalidate all of the 'MoTB,' however; it could help stop a few. And really, it is probably time that you do it anyways, don't you think?" The main goal, they say, is to pressure Twitter app developers to fix their bugs.

Raff says changing their Twitter passwords won't protect users from attacks from these vulnerabilities, however. "Twitter users should log into Twitter through third-party services only when they really need to use it. On any other case, they should use the 'log out' option," he says.

And the Month of Twitter Bugs doesn't make Twitter any more safe, he says. "Attackers don't need Month of Twitter Bugs to attack third-party apps. They have already done this in the past. Just few days ago, someone used a vulnerability in TwitPic to Tweet on behalf of Britney Spears a fake announcement of her death," he says.

Raff is giving Twitter and the third-party provider a 24-hour or more jump on the bugs before he goes live with them. He said in his blog that he has plenty of vulnerabilities for July, but is still accepting submissions.

Twitter should work closely with its third-party application developers on securing their tools, Raff says. He says the microblogging firm is starting to do just that, with its Security Best Practices.

Meanwhile, since most of the Twitter API-based apps are Web apps, Raff says the rest of the bug disclosures in July are likely to feature "a variety of Web application vulnerabilities."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17274
PUBLISHED: 2020-02-26
NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
CVE-2019-17275
PUBLISHED: 2020-02-26
OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
CVE-2020-3169
PUBLISHED: 2020-02-26
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a spe...
CVE-2020-3170
PUBLISHED: 2020-02-26
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could expl...
CVE-2020-3171
PUBLISHED: 2020-02-26
A vulnerability in the local management (local-mgmt) CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient input vali...