Twitter API weak link for worm attacks

A security researcher has suggested Twitter will be unable to stop worm attacks as long as hackers keep taking advantage of its API (Application Programming Interface).

Aviv Raff, FraudAction Research lab manager at RSA, said on his blog that even if Twitter hired the best security engineer to fix all vulnerabilities, the Twitter API would be the weak link allowing the creation of new worms.

The API is, according to Twitter, a defined way for a program to accomplish a task, which usually means retrieving or modifying data.

It said: "We provide an API method for just about every feature you can see on our website. Programmers use the Twitter API to make applications, websites, widgets, and other projects that interact with twitter."

"Programs talk to Twitter API over HTTP, the same protocol that your browser uses to visit and interact with web pages," it added.

Many third party applications use Twitter API, and Raff warned that it only took a single vulnerability in an app to trigger another Twitter worm.

Raff used the example of twitpic.com, which had a cross-scripting flaw that could be used to hijack user accounts, but could have spread due to the Twitter API.

He said: "Because twitpic.com also uses the Twitter API to automatically send twits [tweets] on behalf of the user, whenever the user uploads a picture or comments on another user's picture, it can also be easily used to create a Twitter worm."

This particular flaw has now been fixed, but Raff said it was just one example of the many services and applications that used the Twitter API and were potentially vulnerable.

Twitter has suffered several high-profile security incidents this year, while 2009 is turning out to be the year of the worm attack.

Twitter did not reply to our request for comment at the time of publishing.