Twitter: A Growing Security Minefield

As it explodes in popularity, the micro-blogging site attracts the bad guys.

. What's this?

By Robert Vamosi

July 23, 2009PC World

In June, the world watched as tweets from the streets of Tehran flooded Twitter. Frequent Twitter users--and people who hadn't even heard of the microblogging service--were suddenly and simultaneously witnessing its potential.

At the same time, antivirus vendors were warning of new phishing attacks that spread via Twitter. Using Twitter accounts, phishers would follow users and then infect them via a link to a fake profile page laden with malware. Like instant messaging, MySpace, and Facebook before it, Twitter had come of age.

After three years of relatively quiet development and growth, the service's meteoric rise in 2009 has been rough. Aside from scaling issues due to the influx of new users, in January a Twitter hack compromised the accounts of 33 high-profile users, including President Barack Obama, CNN anchor Rick Sanchez, and entertainer Britney Spears.

In April, a Twitter worm known as "Mikeyy" or "StalkDaily" reared its head. Similar to the 2005 Samy worm on MySpace, the Mikeyy worm was authored by a 17-year-old who took advantage of a code quirk to gain notoriety for his Web site, StalkDaily.com. Twitter shut it down--plus a few follow-up viruses ("How TO remove new Mikeyy worm!")--fairly quickly. Following the worm attacks, cofounder Biz Stone wrote on the company blog, "Twitter takes security very seriously and we will be following up on all fronts."

Shortened-URL Dangers
Parallel to the growth of Twitter is the expansion of URL-shortening services. Fitting your thoughts into 140 characters takes practice; including full URLs is almost impossible. Usually URLs have to be truncated through services such as Bit.ly and TinyURL.com, which also mask the true destination URL and can present their own security problems as a result.

The first signs of shortened-URL trouble came with a pair of Twitter worms that promised to help users remove the Mikeyy worm. In June, a wave of hidden poisoned URLs swept Twitter, using Bit.ly links to low.cc and myworlds.mp domains where users were asked to download a file called free-stream-player-v_125.exe to view a video. The file held malware. Bit.ly and TinyURL have been responsive to reports of abuse; Bit.ly, for one, now blocks those low.cc and myworlds.mp domains.

At least one security product, ZoneAlarm, blocks access to TinyURL.com by default, listing it as a potentially malicious site (you can unblock it). You have other ways to protect yourself, too. TinyURL has a preview feature, and Firefox has a Bit.ly preview add-on. Some Twitter apps, such as TweetDeck and Tweetie, also preview the URL before you click.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER