Twitter API ripe for abuse by web worms

A security researcher is warning that the Twitter API can be trivially abused by hackers to launch worm attacks.

The red-hot social networking/microblogging service has been scrambling to plug cross-site scripting and other Web site vulnerabilities to thwart worm attacks but, as researcher Aviv Raff points out, it’s much easier to misuse the Twitter API as a “weak link” to send worms squirming through Twitter.

Raff, well-known for his research work on browser and Web application vulnerabilities, points out that a single vulnerability on any of the third-party services (Twitpic, etc.) that use the API can trigger the next Twitter worm.

Raff writes:

An example for this threat is a vulnerability I found a few weeks ago in Twitpic.com website. Twitpic imports the profile information from Twitter, and displays it on the Twitpic.com profile page. While twitter.com (finally) sanitizes and encodes HTML tags in the Twitter profile information (name, URL, bio, etc.), Twitpic.com failed to do so and by that allowed injecting scripts to the twitpic user profile page. This is a very simple persistent XSS, which can be easily abused to hijack twitpic.com user accounts. However, because twitpic.com also uses the Twitter API to automatically send twits on behalf of the user, whenever the user uploads a picture or comments on another user’s picture, it can also be easily used to create a Twitter worm.

Raff created a demo attack that automatically comments on a random picture on Twitpic.com, whenever a user visits the twitpic.com profile of the user he created – “twitpicxss.”

Anyone who visted that profile page while logged in to the Twitpic service would automatically send a tweet to Twitter with the content he (Raff) set in the comment.

The content contained a link to the “twitpicxss” profile, which could have made other users, who follow the victim, to click on that link, be exploited, and keep spreading the worm.

Raff also showed me additional examples of cross-site request forgery (CSRF) problems in third-party Twitter services that could lead to worms.

Twitter’s ongoing search for software engineers to focus specifically on application and infrastructure security is a great first step but unless security gets baked into the way the API is used, the service will continue to be plagued by worms.

More links:
Twitter API ripe for abuse by web worms
Twitter being used to distribute malware
Twitter hit by multiple variants of XSS worm
Sourse of articles
---

Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal.

Why Content is King In Web Design

How can you help your readers know whether your site can really help them? Do you need a web designer to make it happen? Why is content writing for the web different from any other kind of writing? You'll find answers in this article.

Web Design: Scannability

Would it interest you to know that most web users don't come to your site to appreciate the attractiveness of the design? That's not to say that an attractive web design isn't important.

However, the majority of site visitation happens because the consumer was motivated to look at your site to see if you could give them a reason to purchase from your ecommerce business.

The web is based on small resolution sizes. The words read online aren't even as clear as newsprint. The pictures are often low resolution and a computer screen can tax the best of vision.

Practical Application

One of the most cost effective applications this information can produce is that you may not need a website filled with all the toys such as Java Script or Flash design. These tools add spice to your website, but can often detract or even annoy visitors who are simply looking for information they expect to find on your website.

A well ordered website can reap incredible rewards for ecommerce business. Effective bullet points, keywords or phrases accented in bold type and an easy to navigate page may have a greater impact on your ecommerce web design than anything.

What this may also mean is that the web design options you can chose from may expand.

Self-Directed Design

You see, if you know what will help make your site better you can self-direct the development of the site through template rich designs that allow you total control over the text in an easy to use environment that does not require the use of complicated code or extended training seminars to use.

Obviously many web design experts would rather have you seek an alternative using their personalized service, but in the end you have a stronger interest in the success of your website than a hired web developer.

If you can utilize the tools available to make your site user friendly and highly scannable you will likely find you can achieve your own success in web design.

Writing for the Web

Content writing for web pages is not the same as writing for any other type of content. Thoughts must be compact and content must be scannable.

This means when you write for the web you must help your reader find the subject they are most interested in using a sub-heading or indexing system that allows a quick scan to determine if your web page contains the information they need.

Even if your website does not contain the exact information your visitor wants they may be pleased to know it didn't require extended reading to make that determination. In turn the visitor may venture to other pages of online content to determine if you have the information they need elsewhere on your site.

About the Author: Scott Lindsay - Make A Website in minutes with the Website Builder at HighPowerSites.com.