A security researcher who specializes in browser and Web 2.0 vulnerabilities plans to use the month of July to expose serious vulnerabilities in the Twitter ecosystem.
The Month of Twitter Bugs, a project which launches on July 1, is the handiwork of Aviv Raff. It will disclose a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws that put Twitter users at risk of malicious hacker attacks.
Each day I will publish a new vulnerability in a 3rd party Twitter service on the twitpwn.com web site. As those vulnerabilities can be exploited to create a Twitter worm, I’m going to give the 3rd party service provider and Twitter at-least 24 hours heads-up before I publish the vulnerability.
Raff is hoping to raise awareness for the Twitter API weakness that exposes the popular service to worm attacks if a single third-party Twitter service (like Twitpic) contains a vulnerability.
The [Month of Twitter Bugs] could have been easily converted to any other “Month of Web 2.0 service bugs”, and I hope that Twitter and other Web 2.0 API providers will work closely with their API consumers to develop more secure products.
Raff was among the first group of researchers to launch of a monthly vulnerability release project, partnering with HD Moore and others on the Month of Browser Bugs. Since then, similar projects have targeted security deficiencies in Apple’s Mac OS, the PHP scripting language and ActiveX control issues.