Twitter API weak link for worm attacks
Unless Twitter does something about hackers abusing its API, worm attacks are likely to continue.
Aviv Raff, FraudAction Research lab manager at RSA, said on his blog that even if Twitter hired the best security engineer to fix all vulnerabilities, the Twitter API would be the weak link allowing the creation of new worms.
The API is, according to Twitter, a defined way for a program to accomplish a task, which usually means retrieving or modifying data.
It said: "We provide an API method for just about every feature you can see on our website. Programmers use the Twitter API to make applications, websites, widgets, and other projects that interact with twitter."
"Programs talk to Twitter API over HTTP, the same protocol that your browser uses to visit and interact with web pages," it added.
Many third party applications use Twitter API, and Raff warned that it only took a single vulnerability in an app to trigger another Twitter worm.
Raff used the example of twitpic.com, which had a cross-scripting flaw that could be used to hijack user accounts, but could have spread due to the Twitter API.
He said: "Because twitpic.com also uses the Twitter API to automatically send twits [tweets] on behalf of the user, whenever the user uploads a picture or comments on another user's picture, it can also be easily used to create a Twitter worm."
This particular flaw has now been fixed, but Raff said it was just one example of the many services and applications that used the Twitter API and were potentially vulnerable.
Twitter did not reply to our request for comment at the time of publishing.
The case for a marketing content hub
Transform your digital marketing to deliver customer expectationsDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now
IT faces new security challenges in the wake of COVID-19
Beat the crisis by learning how to secure your networkDownload now