Twitter Api Facilitates Worm Propagation


Recommended Posts

27 May 2009, 12:34

Twitter API facilitates worm propagation

"Security specialist Aviv Raff reports that the Twitter API can be exploited to spread worms. Among other things, the Twitter API allows users to configure, manage and query the status of their accounts using HTTP requests. Responses are delivered in the form of an XML or JSON document.

The twitpic.com photo sharing service is among the application sites that use the API, for example, to retrieve or import a user's Twitter profile. According to Raff, until recently Twitpic didn't filter HTML tags from the original Twitter profiles, so profiles containing JavaScript could be saved in Twitpic.

Although Twitter (twitter.com) was filtering out the tags when a profile was requested, Twitpic (twitpic.com) did not and was returning the code along with the profile – which then executed in the requesting user's browser. This could not only be exploited to spy out users' Twitpic accounts, the code could also use the Twitter API to automatically send a tweet with an image link on behalf of a logged-in user."

Heise security for more detail - http://www.h-online.com/security/Twitter-A...n--/news/113386

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...