United States
Easy management - our secret sauce. Watch the video tour.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Month of [blah] Bugs arrives on Twitters doorstep in July

30 June 09 -- A few years ago, I published a Wire post complaining about a new trend where researchers announced a Month of [something] Bugs. These were special projects initiated by various security researchers who planned to announce one new security bug a day for an entire month. Each bug released that month related to a specific topic, maybe a certain type of program or operating system component. For example, Moore kicked off this concept with the Month of Browser Bugs (MoBB) and LMH followed up with the Month of Kernel Bugs (MoKB). While I'm all for uncovering security flaws so vendors can fix them, I don't believe you should disclose those flaws without giving the vendor the time needed to correct them.

Whether or not I like this idea, it seems like the Month of [whatever] Bugs is alive and well. A researcher named Aviv Raff intends on disclosing a Twitter security bug every day in July, making it the Month of Twitter Bugs (MoTB). He'll host his daily Twitter fail on a site jokingly called twitpwn.com. Again, I find myself with mixed feelings about this sort of security stunt. On one hand, as a Twitter user (follow me @SecAdept), I see many potential security issues with the popular social networking service. For instance, many security researchers have pointed out problems with Twitter's API. Twitter has also suffered from various web application vulnerabilities in the past. Not to mention, the heavy usage of URL shorteners on Twitter poses potential security concerns. So I'm all for Twitter learning about some of their security problems and attempting to fix them.

On the other hand, Raff only intends on giving Twitter (and its 3rd-party partners) a 24 hour "heads up" before disclosing these vulnerabilities. While web application development moves a lot quicker than traditional software development (no compile time), I don't think this short notice is fair to Twitter's developers or Twitter's customers. If you don't give Twitter time to react to these security flaws, you just put their customers at risk.

Despite the fact that I don't agree with the ethics behind these Month of [foo] Bugs stunts, I will still follow July's MoTB religiously to learn of the new Twitter bugs. If you use Twitter, I recommend you follow MoTB too. That way you you can measure the risk associated with each new vulnerability and react accordingly. -- Corey Nachreiner, CISSP

Copyright© 2009 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.