The Month of Twitter Bugs kicked off July 1 with news of four cross-site scripting bugs affecting bit.ly, a popular URL shortening service used by Twitter users.
The bugs are the first entry in a monthlong effort to expose third-party vulnerabilities that impact Twitter. The brainchild of security researcher Aviv Raff, Month of the Twitter Bugs (MoTB) follows in the footsteps of the Month of the Browser Bugs launched in July 2006.
This time around, things began with a reflected cross-site scripting issue in the “url” query parameter. Bug No. 2 for bit.ly is reflected cross-site scripting in the keywords parameter, with the others being a reflected POST cross-site scripting in the username field of the log-in page and a persistent cross-site scripting flaw in the content-type field of the URL info page.
All four of the vulnerabilities have been patched by bit.ly, though one—the reflected POST cross-site scripting vulnerability in the content-type field of the URL info page—wasn’t fixed until 3 hours after Raff posted it. Overall, it took a month and a half for bit.ly to plug all four security holes.
Raff has pledged to give both Twitter and third-party service providers at least a 24-hour heads up for posting any vulnerability.
“bit.ly has a large user base (who doesn’t click bit.ly links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs,” Raff warned on the MoTB site.
For more on the Month of Twitter Bugs, click here.