3 Ways Twitter Security Falls Short
Social-networking tool Twitter has become this year's "it" platform. But experts say it still has some work to do on its security
By Joan Goodchild , Senior Editor
February 18, 2009 — CSO —
The popular micro-blogging platform Twitter continues its explosive growth. Twitter experienced a 900 percent increase in active users in the last year, according to a recent blog post from Biz Stone, the company's co-founder. People are increasingly using it to get breaking news updates, to collaborate with colleagues remotely, and connect with friends on an up-to-the-minute basis. Some businesses are using it as a new promotion and marketing tool.
Despite the popularity, Twitter still a lot to do when it comes to securing the platform (See: Three Ways a Twitter Hack can Hurt You). We spoke with two security experts about three areas where Twitter poses some significant risks.
Twitter "Tweets" have a character limit of 140 characters. Many users enter urls that are too long and which are automatically truncated with a shortening service, such as TinyURL. Users can't tell where the link is going when they scroll over to it.
This makes it much easier for hackers to send out faulty or malicious links, according to Mike Murray, CISO at Foreground Security, a Florida-based security consultancy.
"With these new mediums, we've gone back to 1997 in terms of the way we act," said Murray. "When email first came out, everyone sent out forwards and all of this other stuff and everyone opened it. And we've spent the last ten years convincing people bad things can come from opening emails you don't trust. We are inoculated against that in email. We are not inoculated against that in Twitter and Facebook. We trust the people we talk to and that talk to us."
"We've been saying to people for ages: 'Be careful which links you click on and make sure it really is who it claims to be,'" said Graham Cluley, a senior technology consultant with UK-based security firm Sophos. "If you are clicking on something that is a tiny url, you don't know where you are going to end up. It is harder to check and reassure yourself about where you are really going."
Both experts agree it is important to educate Twitter users about the potential for malicious links (See: Social Networking Dangers Exposed). Instill in them that it is important to verify all of the Twitterers in their network as legitimate and consider the source before clicking on any urls.
"By now we have figured out the hygiene around email," said Murray. "If we can help users figure out that same hygiene around social networking, I think we will all be better off."