If at first you don't succeed; call it version 1.0
Monday, 15 June 2009

Back in July 2006, I had the opportunity to be part of a cool initiative called “Month of Browser Bugs”. This initiative was created by H.D Moore in order to raise the awareness of security vulnerabilities in web browsers. Back then it was mainly focused on system Active-X issues, but it also provided some great examples of how, so called “unexploitable” vulnerabilities, can still be abused for a remote code execution. The initiative was a great success, in my opinion, and made the browser vendors more attentive to security vulnerabilities in their products (e.g. In Internet Explorer 8, installed Active-X controls are now not running automatically, and can be opted-in to run on specific sites).
Today, three years after the “Month of Browser Bugs”, I’ve decided to declare July 2009 as “Month of Twitter Bugs” (MoTB). I’m doing so in order to raise the awareness of the Twitter API issue I recently blogged about. MoTB could have been easily converted to any other “Month of Web2.0 service bugs”, and I hope that Twitter and other Web2.0 API providers will work closely with their API consumers to develop more secure products.
Each day I will publish a new vulnerability in a 3rd party Twitter service on the twitpwn.com web site. As those vulnerabilities can be exploited to create a Twitter worm, I’m going to give the 3rd party service provider and Twitter at-least 24 hours heads-up before I publish the vulnerability.
Even though I have enough vulnerabilities for this month, you are more than welcomed to send me (via email or twitter) vulnerabilities you find in 3rd party Twitter services. I will do my best to publish all submitted vulnerabilities. I will, of course, credit the submitter.
See you in July.

Monday, 15 June 2009 17:41:25 UTC | Comments [9] | Security#
Monday, 15 June 2009 18:38:54 UTC
Avib, it might be good start with blocking that ↑ Tweep ad from adsense.
It is one of pipes sewage seeps into twitter through
Tuesday, 16 June 2009 04:39:00 UTC
Might be an idea to postpone this exercise until Iran situation is more stable as some are using it for protest.
Tuesday, 16 June 2009 10:44:31 UTC
Hopefully Twitter will learn from other people mistakes and fix their holes.
Maybe prior to the MoTB date :)

Great initiative!
Tuesday, 16 June 2009 11:48:43 UTC
Ha, like this idea! There are shure A LOT of security bugs. It seems they did nothing to protect for example the input fields (JS worms in Input-fields of a such big service? are they kidding?). Just followed you on twitter for updates.
Tuesday, 16 June 2009 15:03:41 UTC

I am sure that we can learn a little bit more about the "don'ts" in web apis.

(PS. I agree with Tim - to publish that things a little bit later.)
Tuesday, 16 June 2009 19:46:20 UTC

Here we go!

Tuesday, 16 June 2009 21:53:01 UTC
Giving 24 hours notice is just not responsible and if you ever find yourself working in the security field (as a job) this may come back to haunt you. I'd suggest telling them now and giving them some time to fix the issues, should be all clear then.
Friday, 19 June 2009 17:38:14 UTC
@Ed: I don't think I can block all twitter services from adsense, there are just too many... :)

@Tim: I might consider that, thanks.

@Robert: I wrote that I'm going to give at-least 24 hours. I hope that I will manage to give them around 3-4 days in avg.
As these are mostly XSS/CSRF issues, I think 3-4 days to fix are more than enough.
Sunday, 12 July 2009 00:57:19 UTC
I like you to show how sites have holes, since i've been really into security the last months.
It's possible nearly on every site and it's great to show people that they aren't save

I've used the top100 list aswell to check out some sites for simple XSS and it's just too easy.
http://socialcollider.net/ (though I don't see any use there)

On both i've just used a simple <script>alert(document.cookie)<%2Fscript> search query and voila..

Keep up the good work :)
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.