From the “Public Disclosure” files:
Security research Aviv Raff has followed through on his promise of starting the Month of Twitter Bugs (MoTB). His first target? The popular bit.ly URL shortening service.
Finding flaws in URL shortening services is not an entirely new phenomenon. Just two weeks ago Cligs disclosed that upward of two million of its shortened URLs had been hacked.
For bit.ly, Raff found four vulnerabilities of which in his view three are now patched. (I have not yet been able to independently get comment from bit.ly to confirm the fourth though Raff has a decent working proof of concept publicly posted that worked when I tried it).
All four of the issues were Cross-Site Scripting (XSS) related flaws.
Though Raff is the research bundling up the issues under the banner of Month of Twitter bugs, at least one of the flaws was publicly disclosed before today.
Raff reports that there is a flaw that involves a reflected Cross-Site Scripting in the keywords parameter — which was first reported by security researcher Mike Bailey on June 24th 2009.
“I found an XSS hole in the popular URL shortener, bit.ly,” Bailey wrote in his advisory last week. “This can be used to compromise browsing history, tamper with a user’s bit.ly settings, and even abuse Twitter accounts (they have a Twitter API).”
Next page: More flaws