Month of Twitter Bugs: bit.ly multple vulnerabilities

First report in the Month of Twitter Bugs focuses on multiple vulnerabilities in bit.ly URL shortening service. Discovered security issues include:

• Reflected Cross-Site Scripting in the “url” query parameter.
• Reflected Cross-Site Scripting in the keywords parameter.
• Reflected POST Cross-Site Scripting in the username field of the login page
• Persistent Cross-Site Scripting in the content-type field of the URL info page

Security issues have been patched, but according to researcher Aviv Raff who is behind the Month of Twitter Bugs, it took bit.ly a month and a half to fix these simple XSS vulnerabilities. Technical details on the vulnerabilities here.