Newsletters

Select newsletters below and click the button to sign up!

Boston News NY News
DC News Internet Daily
SiliconValley News
InternetNews Business Report




Become a Marketplace Partner


Partner With Us


Internetnews Bloggers

Recent Entries

Archives

July 2009
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Monthly Archives

Search The Blog

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT



Month of Twitter Bugs begins with bit.ly flaws

By Sean Michael Kerner on July 1, 2009 9:35 AM
bitly_small.gif
From the 'public disclosure' files:

Security research Aviv Raff has followed through on his promise of starting the Month of Twitter Bugs (MoTB). His first target? The popular bit.ly URL shortening service.

Finding flaws in URL shortening services is not an entirely new phenomenon, just two weeks ago Cligs disclosed that upward of two million of its shortened URLs had been hacked.

For bit.ly, Raff found four vulnerabilities of which in his view three are now patched (I have not yet been able to independantly get comment from bit.ly to confirm the fourth though Raff has a decent working proof of concept publicly posted that worked when I tried it).

All four of the issues were Cross Site Scripting (XSS) related flaws.

Though Raff is the research bundling up the issues under the banner of Month of Twitter bugs, at least one of the flaws was publicly disclosed before today.

Raff reports that there is a flaw that involves a reflected Cross-Site Scripting in the keywords parameter - which was first reported by security researcher Mike Bailey on June 24th 2009.
"I found an XSS hole in the popular URL shortener, bit.ly," Bailey wrote in his advisory last week."This can be used to compromise browsing history, tamper with a user's bit.ly settings, and even abuse Twitter accounts (they have a Twitter API)."

According to Raff, bit.ly fixed the reflected XSS issue yesterday (June 30th).

Raff also credits researcher Mario Heiderich for the discovery of two additional flaws, both of which have now been patched by bit.ly according to Raff.

Though one of the four issues included in the MoTB today has not yet been patched, according to Raff, all of the issues have been previously disclosed to bit.ly. In Raff's view, it has taken bit.ly a month and a half to fix simple XSS vulnerabilities - which is somewhat less than ideal.
"bit.ly has a large user base (who doesn't click bit.ly links?)." Raff wrote. "However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs..."
This is only day one of the MoTB,and already in my view this has had an impact. I click on bit.ly links all the time. As the results of this effort at least three issues have been patched that otherwise might not have - this is a good thing and hopefully it will encourage bit.ly and other URL shortening services to look at XSS more seriously.

| Comments (0) | TrackBacks (0) | Share

0 TrackBacks

Listed below are links to blogs that reference this entry: Month of Twitter Bugs begins with bit.ly flaws.

TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8389

Leave a comment