As previously promised, Security Researcher Aviv Raff officially launched the Month of Twitter Bugs (MoTB) website on July 1. Aviv will be posting a “Twitter bug a day” on MoTB in order to raise awareness of Twitter APIs and to warn end users of potential problems with the software and systems they use.
MoTB will be following a limited disclosure approach. On the bright side for Twitter, third-party service providers and Twitter themselves are notified of high-risk vulnerabilities at least 24 hours in advance, giving service providers time to create patches before the information goes public on MoTB. When a vulnerability notification is issued, it is hoped that having a deadline will push the affected provider to take action, and the resulting solution will protect end users. On the other hand, if the provider cannot—or will not—come up with a solution in time, the vulnerability information will be posted on MoTB and the bad guys are likely to be quick to thrust swords through the chinks in the Twitter armor.
Patch quality is important, too. Mistakes will be made (we’re all human, right?) and more so in high-pressure situations. Imagine how those working on security patches will be impacted by the sudden shift in pressure levels. The rush to release patches is likely to reduce the time available for testing and quality assurance, and although we are not suggesting that this is done on purpose, it may well be the case that we see issues with the pressure-cooked code.
So far, this method of limited disclosure seems to have worked according to plan. The first set of vulnerabilities posted belonged to the bit.ly URL-shortening service—all four were cross-site scripting (XSS) bugs, and all four of them have already been patched. Another XSS vulnerability, this time in HootSuite, a third-party application for managing Twitter accounts, was fixed just two hours after it was reported.
Symantec Security Response will be monitoring entries on MoTB very closely. We might even create a Twitter account and tweet about them ourselves.
Note: My thanks to colleague Henry Bell, co-author of this post.