14 DAY TRIAL // Respected security researcher Aviv Raff warns of a new type of web vulnerability, which he dubs "Cross-Web2.0 Scripting." According to him, a perfectly secure website can become insecure if a third-party web service using its API is vulnerable.
Much of the website interconnection and real-time information exchange that is so specific to the Web 2.0 model is achieved through the use of application programming interfaces, in short APIs. A Web Services API is a set of protocols, libraries, routines, which third-party applications can tap into in order to send or extract information.
Most Web 2.0 big players, such as Google, Facebook, etc., offer open APIs to developers. However, in this particular case, Aviv Raff uses Twitter's to demonstrate the concept, possibly because the micro-blogging platform has constantly been in the spotlight since the beginning of the year, due to numerous security incidents.
"Mikeyy wrote a twitter worm. It's old news, I know, and by now Twitter seem to fix all the known vulnerabilities on their website. But, let's say that there are no more XSS/CSRF/etc. vulnerabilities on Twitter.com. Does it mean that there will be no more twitter worms? Unfortunately, the answer to that question is no," the researcher says.
Mr. Raff claims that this is because of the Twitter API, but not so much the API itself, as the third-party websites that use it. He goes on to exemplify with twitpic.com, a service for sharing pictures on Twitter, which taps into the Twitter API in order to import someone's profile.
However, "While twitter.com (finally) sanitize and encode HTML tags in the twitter profile information (name, URL, bio, etc.), twitpic.com failed to do so and by that allowed injecting scripts to the twitpic user profile page. This is a very simple persistent XSS, which can be easily abused to hijack twitpic.com user accounts," the expert explains.
The API is also used to post messages back to Twitter on behalf of a user, whenever they post or comment on a picture from twitpic.com. Mr. Raff set up a fake profile on Twitpic and leveraged on the XSS flaw to create a successful Twitter worm. Any user logged into Twitpic who was visiting the rogue profile would have automatically posted Raff's message, with a link to the profile, on their own Twitter feed.
"Twitter are not alone in this mess. This 'Cross-Web2.0 Scripting' type of vulnerabilities can affect all other social networks," the security researcher notes. "If you are the owner of a service which provides an API, fixing your own website or application vulnerabilities might not be enough…," he concludes.