Researcher plans to unveil a month of Twitter bugs in July
Aviv Raff, who participated in a similar project in 2006, the "Month of Browser Bugs," announced on his blog Monday that his "Month of Twitter Bugs" will not reveal vulnerabilities specific to Twitter. Instead, he will publish bugs in popularly used third-party Twitter services, such as Twitpic or TweetDeck.
Raff said he hopes the undertaking calls attention to the insecurity of many sites that use the Twitter application programming interface (API).
"In short, one small vulnerability in a third-party Twitter service has the potential to create a Twitter worm," Raff told SCMagazineUS.com in an interview by instant messenger. "For example, it could be used by an attacker to distribute malware. Won't you click on a link your friend has just Twitted?"
He said that even if Twitter was clean of all vulnerabilities, such as cross-site scripting (XSS) or cross-site request forgery, the site still could be abused by a coding flaw in a site using the Twitter API.
Last month, he offered an example when he published a proof-of-concept for a vulnerability on Twitpic.com, which enables users to share photos on Twitter.
"While Twitter.com sanitizes and encodes HTML tags in Twitter profile information, Twitpic failed to do so and by that, allowed injecting scripts to the Twitpic user profile page," Raff explained in a blog post. "This is a very simple, persistent XSS, which can be easily abused to hijack Twitpic.com user accounts. However, because Twitpic.com also uses the Twitter API to automatically send 'twits' on behalf of the user, whenever the user uploads a picture or comments on another user's picture, it can also be easily used to create a Twitter worm."
A TwitPic spokesperson could not be reached.
Raff told SCMagazineUS.com that Twitter -- and other sites such as Facebook and LinkedIn -- must improve their outreach to the websites and applications that use its API.
"There is no bullet-proof solution here," he said. "All I hope is for Twitter, and other Web 2.0 API providers, to work closely with the developers who use their API in order to make sure they develop code as secure as possible. It's mainly the third-party developers' fault, but I think Twitter should educate them about secure coding."
Raff said on his blog that he plans to provide the service providers with 24 hours of notice prior to publishing each bug. He plans to list the vulnerabilities on www.twitpwn.com.
A Twitter spokesperson did not immediately respond to a request for comment.
Security experts said Twitter finds itself in a difficult position because these third-party services help it grow faster. But a problem at one of these sites reflects poorly on the Twitter brand.
"Any of these third-party applications do need to take security seriously and incorporate security testing into their development life cycle, just like any enterprise or independent software developer would do," said Chris Eng, senior director of research at Veracode, an application security company.
Eng's colleague, Mike Puglia, director of product marketing, said Twitter can be more proactive by requiring that its API partners prove some level of security assurance.