In association with heise online

27 May 2009, 11:34

Twitter API facilitates worm propagation

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security specialist Aviv Raff reports that the Twitter API can be exploited to spread worms. Among other things, the Twitter API allows users to configure, manage and query the status of their accounts using HTTP requests. Responses are delivered in the form of an XML or JSON document.

The photo sharing service is among the application sites that use the API, for example, to retrieve or import a user's Twitter profile. According to Raff, until recently Twitpic didn't filter HTML tags from the original Twitter profiles, so profiles containing JavaScript could be saved in Twitpic.

Although Twitter ( was filtering out the tags when a profile was requested, Twitpic ( did not and was returning the code along with the profile – which then executed in the requesting user's browser. This could not only be exploited to spy out users' Twitpic accounts, the code could also use the Twitter API to automatically send a tweet with an image link on behalf of a logged-in user.

Raff says that this vulnerability could be exploited to spread worms, as he says he proved using a demo he wrote. While the hole in Twitpic has now been closed, due to the increasingly widespread use of Twitter services and applications, Raff considers it possible that similar vulnerabilities may still exist elsewhere. He says that fundamentally, the problem is not security flaws in the Twitter API, but the fact that the API can be abused.

Due to the increasing number of security issues, the Twitter is looking for a software engineer to focus on application and infrastructure security.


See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit