Researcher Reveals Bit.ly Flaws under Month-of-Twitter Bugs Project

Aviv Raff, a security investigator while highlighting security flaws in the third-party Twitter software in July 2009, has tried to draw attention towards a number of serious XSS (cross-site scripting) vulnerabilities in Bit.ly (a popular service that shortens URLs), as reported by Search Security on July 1, 2009.

On July 1, 2009, Raff initiated the Month-of-Twitter Bugs project. He notified programmers of Bit.ly and within a short time period, the vulnerability was fixed.

Meanwhile, people using Bit.ly through their personal accounts could trace the path of their condensed URLs. The facility is incorporated into Firefox along with a number of third-party Twitter software. While Bit.ly is popularly used, there are 12 other similar URL-shortening facilities available.

Under the Month-of-Twitter Bugs scheme, Day One (July 1) disclosed four fresh XSS flaws in the Bit.ly program used for condensing links within the Tweet limit of 140 characters. These XSS flaws can be found inside the abridged links and keywords parameter. Similar flaws also exist within the username space of the login page of Bit.ly as well as within the content-type space belonging to the info page of the link.

Raff says in his blog post that since there is a low response rate towards the security flaws and Twitter is so poorly secured, one can just hope for good only. Thus, the researcher urges users to maintain caution while clicking on shortened links. With XSS flaws, a hacker could insert harmful code into an URL even if it seems that that URL is from a trusted source.

According to Raff, even if Twitter users change their passwords, it won't safeguard them against attacks that exploit these flaws. He states that users of Twitter should log into the site via third-party utilities only when they have no other option, or else they should opt for the 'log out' button.

The month-of-bugs idea, in which researchers reveal fresh security flaws each day of a particular month, dates back three years when Director of Security Research HD Moore at BreakingPoint Systems introduced it, to draw attention towards security problems in browsers, under his Month-of-Browser Bugs scheme.

Related article: Researchers Urge Caution against phishing Scams

» SPAMfighter News - 7/13/2009