For many in the U.S., Friday started a long weekend of festivity, thanks to Independence Day. However, just because it was a holiday for some, does not mean that Aviv Raff stopped listing Twitter-related flaws.
Month of Twitter Bugs - holiday roundup. (IMG:J.Anderson)
Raff, who started the Month of Twitter Bugs (MoTB) to raise awareness of vulnerabilities in sites using Twitter’s API, thus directly affecting Twitter users, has mostly published details on problems that have already been patched. However, in some cases, others discover more issues almost instantly.
One example of a vulnerability patched prior to disclosure comes from HootSuite. HootSuite can be used to manage multiple Twitter accounts. The site counts itself as the “ultimate Twitter toolbox” pointing out that, with its features, one can “manage your entire Twitter experience from one easy-to-use interface.”
Raff published details [MoTB #2 ] on a Cross-Site Scripting (XSS) vulnerability that would allow an attacker to send tweets, direct messages, or gain the ability to force the victim to 'follow' or 'un-follow' other microbloggers. According to the disclosure, the XSS (discovered in the add-account part of the HootSuite site) was patched in two hours.
However, a few hours after the HootSuite vulnerability was published, two comments reported similar flaws and posted proof-of-concepts demonstrating that, while one problem was fixed by the site in a matter of hours, it didn’t fix everything. As of today, July 06, some four days later, each of the XSS vulnerabilities listed are still active.
Another MoTB disclosure, which centered on an XSS in TwitWall [MoTB #3 ], would have allowed an attacker to send tweets or force a victim to follow or un-follow users. This vulnerability was patched rather quickly as well. However, when another problem was discovered, the site’s developers acted quickly to patch it.
BigTweet, developed so anyone can send tweets from any Web page, was the subject of MoTB #4 . The vulnerability, a CSRF (Cross-Site Request Forgery) issue, centered on the fact that the “update.json web page did not use authenticity code in order to validate that the HTTP post is coming from the BigTweet web application,” Raff reported.
However, Raff also noted that BigTweet developer Scott Carter is the one who came up with the idea to have a Twitter API security best practices document. Carter’s idea came to life last week, when Alex Payne published one on Twitter’s API Wiki .
Lastly, Raff published MoTB #5 on Sunday, detailing an XSS vulnerability discovered in TwitSnaps, which is a smaller competitor to TwitPic. The vulnerability would have allowed an attacker to force a victim to send tweets if exploited. According to the disclosure, the flaw was patched after a period of five days.
Want regular updates from The Tech Herald? Follow us on Twitter .
Interested in a more interactive TTH? Join our Facebook Group .
Comment on this Story