Twitter API facilitates worm propagation
Security specialist Aviv Raff reports that the Twitter API can be exploited to spread worms. Among other things, the Twitter API allows users to configure, manage and query the status of their accounts using HTTP requests. Responses are delivered in the form of an XML or JSON document.
Although Twitter (twitter.com) was filtering out the tags when a profile was requested, Twitpic (twitpic.com) did not and was returning the code along with the profile – which then executed in the requesting user's browser. This could not only be exploited to spy out users' Twitpic accounts, the code could also use the Twitter API to automatically send a tweet with an image link on behalf of a logged-in user.
Raff says that this vulnerability could be exploited to spread worms, as he says he proved using a demo he wrote. While the hole in Twitpic has now been closed, due to the increasingly widespread use of Twitter services and applications, Raff considers it possible that similar vulnerabilities may still exist elsewhere. He says that fundamentally, the problem is not security flaws in the Twitter API, but the fact that the API can be abused.
Due to the increasing number of security issues, the Twitter is looking for a software engineer to focus on application and infrastructure security.
- Twitter confirms security breach, a report from The H.
- StalkDaily/Mikeyy continues to flood Twitter, a report from The H.
- StalkDaily worm crawls through Twitter, a report from The H.
- Twitter XSS vulnerability, a report from The H.
- Twitter PINs down SMS tweet spoofing, a report from The H.
- Spam from compromised Twitter accounts, a report from The H.