July to be the "Month of Twitter Bugs"
Security specialist Aviv Raff has nominated this July as the "Month of Twitter Bugs" (MoTB), during which he plans to publish details of one Twitter API-related vulnerability per day. The API allows users to configure, manage and query the status of their own account using http requests. Raff has already reported that it's possible to exploit the API query to the twitpic.com Twitter image service to spread worms. Strictly speaking, these are not vulnerabilities in the Twitter API, but rather careless or error-strewn implementations of API queries by third parties.
Raff claims to have already found enough security problems in third party services which make use of the Twitter API to fill the month. He is, nonetheless, more than happy to receive information on any other problems. Raff hopes his campaign will increase awareness of potential problems when using the Twitter API in particular and Web 2.0 APIs in general.
Because all of the vulnerabilities he has identified can be used to spread a Twitter worm, he intends to give each of the affected suppliers and Twitter operators 24 hours notice prior to releasing his report. It should be interesting to see whether all the parties involved are able to fix the vulnerabilities in their implementations within the time frame.
The "Month of Twitter Bugs" follows on from monthly bug series the "Month of Browser Bugs", "Month of Apple Bugs", "Month of PHP Bugs" and "Month of Kernel Bugs". Sadly, the "Month of Java Bugs" only turned out to be an April fool's joke – for now at any rate.
- Twitter API facilitates worm propagation, a report from The H.
- Month of PHP Bugs gets going, a report from The H.
- Summary of the Month of Apple Bugs, a report from The H.
- Month of Kernel Bugs - the interim results, a report from The H.
- Hole in Safari rounds off "Month of Browser Bugs", a report from The H.