Select Page

It might be a good idea to keep your ear to the ground in July and probably August for malicious exploits that take advantage of Twitter or third party services that use it.

Researcher Aviv Raff, FraudAction has announced that he will launch a “Month of Twitter Bugs” (MoTB) in which he will post a new vulnerability each day on his site (Link here.)

His description of what he is doing is as follows: “I’m doing so in order to raise the awareness of the Twitter API issue I recently blogged about. MoTB could have been easily converted to any other ‘Month of Web2.0 service bugs’, and I hope that Twitter and other Web2.0 API providers will work closely with their API consumers to develop more secure products.

“Each day I will publish a new vulnerability in a 3rd party Twitter service on the web site. As those vulnerabilities can be exploited to create a Twitter worm, I’m going to give the 3rd party service provider and Twitter at-least 24 hours heads-up before I publish the vulnerability.”

Raff said he got the idea from the “Month of Browser Bugs” that H.D. Moore ran in July of 2006.

There are two views of “Month of (your app/os here) Bugs” campaigns:

1) It’s the only way to light a fire under the companies that provide these services and software to fix their defective products.

2) It’s an irresponsible piece of grandstanding that is going to draw the attention of hackers and malcode writers and could result in a significant malware attack that will affect a lot of Internet users.

One June 16 comment on Raff’s blog represents the perspective of the poor overworked IT guys who are going to bear the brunt of this if it turns something loose from the dark side: “Giving 24 hours notice is just not responsible and if you ever find yourself working in the security field (as a job) this may come back to haunt you. I’d suggest telling them now and giving them some time to fix the issues, should be all clear then.”

It’s a “responsible disclosure” issue. There isn’t much agreement on the details of how to do responsible disclosure.

Tom Kelchner