Month of Twitter Bugs: bit.ly multple vulnerabilities
First report in the Month of Twitter Bugs focuses on multiple vulnerabilities in bit.ly URL shortening service. Discovered security issues include:
- Reflected Cross-Site Scripting in the “url” query parameter.
- Reflected Cross-Site Scripting in the keywords parameter.
- Reflected POST Cross-Site Scripting in the username field of the login page
- Persistent Cross-Site Scripting in the content-type field of the URL info page
Security issues have been patched, but according to researcher Aviv Raff who is behind the Month of Twitter Bugs, it took bit.ly a month and a half to fix these simple XSS vulnerabilities. Technical details on the vulnerabilities here.