Month of Twitter Bugs project to document Twitter flaws

By Robert Westervelt, News Editor 17 Jun 2009 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

One of the security researchers behind the Month of Browser Bugs is launching a new project documenting API flaws in the social networking platform Twitter.

Aviv Raff, who worked with HD Moore on the "Month of Browser Bugs" project will start a Month of Twitter Bugs dedicated to highlighting the security deficiencies that put millions of Twitter users at risk. The security researcher turned his focus on Twitter last year, starting the Twitpwn website to highlight Twitter vulnerabilities.

In a blog posting announcing the Month of Twitter Bugs project, Raff said the Month of Browser Bugs provided examples of how "unexploitable" vulnerabilities could be used by an attacker for remote code execution. It exposed 31 browser holes, most affecting Microsoft's Internet Explorer. The Twitter bug project will officially launch in July.

There has been an interest in Web-based vulnerabilities and the increased threat of data leakage associated with the rising use of social networking platforms, including Twitter, Facebook, MySpace and others. Security professionals are under pressure to relax security policies to allow employees to use the platforms for marketing and other business needs, according to some recent surveys.

Raff has taken issue with Twitter's API, which allows developers of related programs to tap into Twitter services. By exploiting a vulnerability in a Twitter service or application that uses the API, it could be used as a springboard, allowing the creation of twitter worms, Raff said. The Month of Twitter Bugs will accept submissions of vulnerabilities discovered third party Twitter services.

"I hope that Twitter and other Web2.0 API providers will work closely with their API consumers to develop more secure products," Raff wrote on his blog.

Raff said his project could have focused on bugs in any Web-based social networking websites. APIs used for Facebook, LinkedIn and others are vulnerable to third-party vulnerabilities that tap into their services.

The "Month of" bugs have come under scrutiny from security bloggers in the past who criticized the disclosure projects for being designed for press attention rather than better security. Some security professionals said the projects had become the cyber equivalent of a vigilante, smashing down doors and leaving them open for any attacker to exploit.

Tags: Secure Coding and Application Programming,  Web Application Security,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure Coding and Application Programming Open source software security tops commercial apps, study finds Improving software with the Building Security in Maturity Model (BSIMM) How to prevent Adobe hacks from affecting your organisation SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation Securing Web applications with Web application firewalls CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary