Highlighting flaws in the Twitter API

Image representing Twitter as depicted in Crun...
Image via CrunchBase

That’s what a security researcher plans to do next month.

Aviv Raff, who worked with HD Moore on the “Month of Browser Bugs” project will start a Month of Twitter Bugs dedicated to highlighting the security deficiencies that put millions of Twitter users at risk. The security researcher turned his focus on Twitter last year, starting the Twitpwn website to highlight Twitter vulnerabilities.

In a blog posting announcing the Month of Twitter Bugs project, Raff said the Month of Browser Bugs provided examples of how “unexploitable” vulnerabilities could be used by an attacker for remote code execution. It exposed 31 browser holes, most affecting Microsoft‘s Internet Explorer. The Twitter bug project will officially launch in July.

There has been an interest in Web-based vulnerabilities and the increased threat of data leakage associated with the rising use of social networking platforms, including Twitter, Facebook, MySpace and others. Security professionals are under pressure to relax security policies to allow employees to use the platforms for marketing and other business needs, according to some recent surveys.

Raff’s main beef with Twitter?

Raff has taken issue with Twitter’s API, which allows developers of related programs to tap into Twitter services. By exploiting a vulnerability in a Twitter service or application that uses the API, it could be used as a springboard, allowing the creation of twitter worms, Raff said. The Month of Twitter Bugs will accept submissions of vulnerabilities discovered third party Twitter services.

Raff points out any social networking site could have been the focus of this project.

Raff said his project could have focused on bugs in any Web-based social networking websites. APIs used for Facebook, LinkedIn and others are vulnerable to third-party vulnerabilities that tap into their services.

But is going public with vulnerabilities in this manner the right approach for improving security?

The “Month of” bugs have come under scrutiny from security bloggers in the past who criticized the disclosure projects for being designed for press attention rather than better security. Some security professionals said the projects had become the cyber equivalent of a vigilante, smashing down doors and leaving them open for any attacker to exploit. (Source: Month of Twitter Bugs project to document Twitter flaws – Search Security)

What do you think?

Reblog this post [with Zemanta]

About brvanlanen

Just a thirty-something guy currently hanging it up in the greater Green Bay area. My post-high school educational background is mainly in the Information Technology field. Specifically I have an A.A.S. in Computer Network Systems and a B.S. in Information Systems Security, both from ITT Technical Institute, in addition to A and MCDST certifications. In my free time I enjoy spending time with my family, cooking and sports. My Christian faith is also important to me as a Missouri-Synod Lutheran and all my children attend a Lutheran grade school. When it comes to political leanings I am a conservative first and foremost which you will discover rather quickly. As for sports I am a huge fan of the Green Bay Packers.

Posted on June 22, 2009, in Technology News, Twitter, vulnerability and tagged , , , , , , , . Bookmark the permalink. Comments Off on Highlighting flaws in the Twitter API.

Comments are closed.

%d bloggers like this: