Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/15/2009
05:00 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Twitter Security Heating Up In July

In an effort to raise awareness of browser security flaws, one researcher wants to post a vulnerability every day that shows the soft underside of the Fail Whale.

For Twitter users, the month of living dangerously begins in two weeks. Come July, Israeli security researcher Aviv Raff plans to publish a new Twitter security vulnerability every day, for the duration of the month.

Raff participated in the "Month of Browser Bugs" initiative in July 2006. It was an effort to raise awareness of browser security flaws. Now he wants to shine the spotlight on Twitter with the "Month of Twitter Bugs."

"Each day I will publish a new vulnerability in a third-party Twitter service on the twitpwn.com Web site," Raff explained on his blog. "As those vulnerabilities can be exploited to create a Twitter worm, I'm going to give the third-party service provider and Twitter at least 24 hours heads-up before I publish the vulnerability."

Raff says that while he has more than enough vulnerabilities to publish one every day in July, he nonetheless welcomes submissions.

Twitter did not respond to a request for comment.

Raff, in a previous blog post, observed that Twitter's most significant security problem is its API, which can be abused to create worms.

In May, he created proof-of-concept code that exploits a vulnerability in the Web site twitpic.com, which uses the Twitter API.

Twitter has weathered several security problems already this year. In April, a Twitter worm created by a 17-year-old infected at least 190 accounts and generated almost 10,000 spam tweets.

Also in April, a Twitter administrative account was hacked. The hacker who claimed responsibility posted screenshots of several celebrity Twitter accounts accessed through the compromised administrative account.

There have been other incidents too: In March, about 750 Twitter accounts were hacked and used to send spam. And in January, 33 Twitter accounts associated with celebrities were hacked through a brute-force password attack.

In response to the April account hack, Twitter co-founder Biz Stone said the company would conduct an independent security audit of its internal systems and would deploy additional anti-intrusion measures. To date, the company has not provided an update on its security efforts.


InformationWeek Analytics and DarkReading.com have published an independent analysis of security outsourcing. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22893
PUBLISHED: 2021-04-23
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse...
CVE-2021-31408
PUBLISHED: 2021-04-23
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after t...
CVE-2021-31410
PUBLISHED: 2021-04-23
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.
CVE-2021-31539
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.
CVE-2021-31540
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.