Twitter API weak link for worm attacks

Unless Twitter does something about hackers abusing its API, worm attacks are likely to continue.

A security researcher has suggested Twitter will be unable to stop worm attacks as long as hackers keep taking advantage of its API (Application Programming Interface).

Aviv Raff, FraudAction Research lab manager at RSA, said on his blog that even if Twitter hired the best security engineer to fix all vulnerabilities, the Twitter API would be the weak link allowing the creation of new worms.

Advertisement - Article continues below

The API is, according to Twitter, a defined way for a program to accomplish a task, which usually means retrieving or modifying data.

It said: "We provide an API method for just about every feature you can see on our website. Programmers use the Twitter API to make applications, websites, widgets, and other projects that interact with twitter."

"Programs talk to Twitter API over HTTP, the same protocol that your browser uses to visit and interact with web pages," it added.

Many third party applications use Twitter API, and Raff warned that it only took a single vulnerability in an app to trigger another Twitter worm.

Raff used the example of twitpic.com, which had a cross-scripting flaw that could be used to hijack user accounts, but could have spread due to the Twitter API.

Advertisement
Advertisement - Article continues below

He said: "Because twitpic.com also uses the Twitter API to automatically send twits [tweets] on behalf of the user, whenever the user uploads a picture or comments on another user's picture, it can also be easily used to create a Twitter worm."

Advertisement - Article continues below

This particular flaw has now been fixed, but Raff said it was just one example of the many services and applications that used the Twitter API and were potentially vulnerable.

Twitter has suffered several high-profile security incidents this year, while 2009 is turning out to be the year of the worm attack.

Twitter did not reply to our request for comment at the time of publishing.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/marketing-comms/social-media/355841/twitter-now-allows-its-users-to-disable-replies
social media

Twitter now allows its users to disable replies

29 May 2020
Visit/marketing-comms/social-media/355840/social-media-and-the-death-of-truth
social media

Social media and the death of truth

29 May 2020
Visit/business/policy-legislation/355834/does-trump-have-the-power-to-shut-down-social-media-companies
Policy & legislation

Does Trump have the power to shut down social media companies?

29 May 2020
Visit/marketing-comms/social-media/355824/trumps-leaked-executive-order-targets-social-media-companies
social media

Trump’s leaked executive order targets social media companies

28 May 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020
Visit/policy-legislation/data-protection/355835/nhs-yet-to-understand-the-risks-of-holding-test-and-trace
data protection

NHS yet to understand risks of holding Test and Trace data for 20 years

29 May 2020