|» IT Security NEWS|
|» 25 May 2009|
|Twitter API Serves As Web Worm Bait|
|Twitter, a widely popular service that mixes micro-blogging and social networking together, has been desperately clambering to block cross-site scripting and other website bugs to impede the spread of worm attacks. However, researcher Aviv Raff observes something that Twitter management apparently overlooked—that the Twitter API can be exploited by hackers as another vulnerability to send worms wriggling throughout the micro-blogging community.
As a famous expert on web application and browser security holes, Raff has enough credentials to back up his claims that a single bug on any of the third-party services available in Twitter (like Twitpic, for example) that use the API can activate the next great Twitter worm invasion.
According to Raff, the vulnerability he found a few weeks back in Twitpic's official website works this way: First, Twitpic brings in profile data from Twitter and then exhibits it on the Twitpic profile page. While Twitter cleans out and generates tags in the Twitter profile information section—that is, bio, URL, name, and so on—Twitpic unsuccessfully does so and because of this flaw, it allows injecting scripts into the Twitpic profile page.
This vulnerability can be effortlessly abused to commandeer Twitpic accounts and profiles. What's more, because Twitpic also makes use of the API found in Twitter to deliver automatic tweets for the user's sake, the process of commenting or picture uploading can also be manipulated to create a Twitter worm. That's a double jeopardy bug that Twitter has to watch out for on behalf of its user base.
Afterwards, Raff developed an exploit demonstration that sends automatic comments on a random Twitpic photo whenever a user visits the "twitpicxss" profile he made. Any user who perused that profile page while logged onto his respective Twitpic account would involuntarily deliver a tweet to Twitter with the content that Raff inserted into the comment.
The content would typically have an address linked directly to the "twitpicxss" profile, which could have made Twitter users that monitor the target click on that URL, be victimized, and propagate the worm cycle ad infinitum. Raff also had many other demos of CSRF (cross-site request forgery) issues in third-party Twitter applications that could also lead to worm promulgation.
Undoubtedly, Twitter's ardent search for application specialists who would concentrate in infrastructure and program protection is partly inspired by the bugs pointed out by security researchers like Aviv Raff.
|Want to be Contacted?|
|Click here to Get Contacted|
Free Wi-Fi Top 15 Security Tips
Free Vulnerability Scan
» SecPoint at ICTVakdag May 2013 Netherlands
|Awards & Reviews|