Wifi Password Recovery - UTM - Vulnerability Scanning

SHOP
CLOUD PEN
VIP LOGIN
Sun Sun Sun

You are here: News > News > Twitter API Serves As Web Worm Bait

» IT Security NEWS
 
» 25 May 2009
Twitter API Serves As Web Worm Bait
Twitter, a widely popular service that mixes micro-blogging and social networking together, has been desperately clambering to block cross-site scripting and other website bugs to impede the spread of worm attacks. However, researcher Aviv Raff observes something that Twitter management apparently overlooked—that the Twitter API can be exploited by hackers as another vulnerability to send worms wriggling throughout the micro-blogging community.

As a famous expert on web application and browser security holes, Raff has enough credentials to back up his claims that a single bug on any of the third-party services available in Twitter (like Twitpic, for example) that use the API can activate the next great Twitter worm invasion.

According to Raff, the vulnerability he found a few weeks back in Twitpic's official website works this way: First, Twitpic brings in profile data from Twitter and then exhibits it on the Twitpic profile page. While Twitter cleans out and generates tags in the Twitter profile information section—that is, bio, URL, name, and so on—Twitpic unsuccessfully does so and because of this flaw, it allows injecting scripts into the Twitpic profile page.

This vulnerability can be effortlessly abused to commandeer Twitpic accounts and profiles. What's more, because Twitpic also makes use of the API found in Twitter to deliver automatic tweets for the user's sake, the process of commenting or picture uploading can also be manipulated to create a Twitter worm. That's a double jeopardy bug that Twitter has to watch out for on behalf of its user base.

Afterwards, Raff developed an exploit demonstration that sends automatic comments on a random Twitpic photo whenever a user visits the "twitpicxss" profile he made. Any user who perused that profile page while logged onto his respective Twitpic account would involuntarily deliver a tweet to Twitter with the content that Raff inserted into the comment.

The content would typically have an address linked directly to the "twitpicxss" profile, which could have made Twitter users that monitor the target click on that URL, be victimized, and propagate the worm cycle ad infinitum. Raff also had many other demos of CSRF (cross-site request forgery) issues in third-party Twitter applications that could also lead to worm promulgation.

Undoubtedly, Twitter's ardent search for application specialists who would concentrate in infrastructure and program protection is partly inspired by the bugs pointed out by security researchers like Aviv Raff.

 
Want to be Contacted?
Click here to Get Contacted
Free Services
Free Wi-Fi Top 15 Security Tips
Free Vulnerability Scan
SecPoint News

» SecPoint at ICTVakdag May 2013 Netherlands
Pictures from SecPoint at ICTVakdag May 2013 Netherlands...
Wednesday May 22, 2013

Awards & Reviews
  
Featured SecPoint Customers

Featured SecPoint clients

About
About SecPoint
Mission Statement
Vision
Management
Investment
Certificates
Products
SecPoint Products
Protector
Cloud Protector
Penetrator
Portable Penetrator
Cloud Penetrator
Free IT Security Tools
SecPoint Brochures
SecPoint Questions FAQ
SecPoint Datasheets
News
SecPoint News
Press
Product Awards


Contact
SecPoint Contact
IT Security Products Webshop
SecPoint FAQ Frequently Asked Questions
SecPoint Support
Solutions
Anti-Spam Appliance
UTM Appliance
Penetration Testing
Proxy Appliance
SAAS
Spam Filters
Vulnerability Assessment

Encyclopedia | Link Policy | Privacy Statement | Resources | Sitemap | User Policy

SecPoint® © Copyright 1999-2013
US Toll Free: +1-888-704-7297 - EU Toll Free: +44-808-101-2272