Month of Twitter Bugs Arrives

By Brian Prince  |  Posted 2009-07-01 Print this article Print

It's heeeeeerrrrre.

The Month of Twitter Bugs kicked off July 1 with news of four cross-site scripting bugs affecting, a popular URL shortening service used by Twitter users.

The bugs are the first entry in a monthlong effort to expose third-party vulnerabilities that impact Twitter. The brainchild of security researcher Aviv Raff, Month of the Twitter Bugs (MoTB) follows in the footsteps of the Month of the Browser Bugs launched in July 2006.

This time around, things began with a reflected cross-site scripting issue in the "url" query parameter. Bug No. 2 for is reflected cross-site scripting in the keywords parameter, with the others being a reflected POST cross-site scripting in the username field of the log-in page and a persistent cross-site scripting flaw in the content-type field of the URL info page.

All four of the vulnerabilities have been patched by, though one—the reflected POST cross-site scripting vulnerability in the content-type field of the URL info page—wasn't fixed until 3 hours after Raff posted it. Overall, it took a month and a half for to plug all four security holes.

Raff has pledged to give both Twitter and third-party service providers at least a 24-hour heads up for posting any vulnerability.

" has a large user base (who doesn't click links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs," Raff warned on the MoTB site.

For more on the Month of Twitter Bugs, click here. |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel