Twitter: a growing security minefield

After three years of relatively quiet development and growth, the service's meteoric rise in 2009 has been rough

In June, the world watched as tweets from the streets of Tehran flooded Twitter. Frequent Twitter users--and people who hadn't even heard of the microblogging service--were suddenly and simultaneously witnessing its potential.

At the same time, antivirus vendors were warning of new phishing attacks that spread via Twitter. Using Twitter accounts, phishers would follow users and then infect them via a link to a fake profile page laden with malware. Like instant messaging, MySpace, and Facebook before it, Twitter had come of age.

After three years of relatively quiet development and growth, the service's meteoric rise in 2009 has been rough. Aside from scaling issues due to the influx of new users, in January a Twitter hack compromised the accounts of 33 high-profile users, including President Barack Obama, CNN anchor Rick Sanchez, and entertainer Britney Spears.

In April, a Twitter worm known as "Mikeyy" or "StalkDaily" reared its head. Similar to the 2005 Samy worm on MySpace, the Mikeyy worm was authored by a 17-year-old who took advantage of a code quirk to gain notoriety for his Web site, StalkDaily.com. Twitter shut it down--plus a few follow-up viruses ("How TO remove new Mikeyy worm!")--fairly quickly. Following the worm attacks, cofounder Biz Stone wrote on the company blog, "Twitter takes security very seriously and we will be following up on all fronts."

Shortened-URL Dangers

Parallel to the growth of Twitter is the expansion of URL-shortening services. Fitting your thoughts into 140 characters takes practice; including full URLs is almost impossible. Usually URLs have to be truncated through services such as Bit.ly and TinyURL.com, which also mask the true destination URL and can present their own security problems as a result.

The first signs of shortened-URL trouble came with a pair of Twitter worms that promised to help users remove the Mikeyy worm. In June, a wave of hidden poisoned URLs swept Twitter, using Bit.ly links to low.cc and myworlds.mp domains where users were asked to download a file called free-stream-player-v_125.exe to view a video. The file held malware. Bit.ly and TinyURL have been responsive to reports of abuse; Bit.ly, for one, now blocks those low.cc and myworlds.mp domains.

At least one security product, ZoneAlarm, blocks access to TinyURL.com by default, listing it as a potentially malicious site (you can unblock it). You have other ways to protect yourself, too. TinyURL has a preview feature, and Firefox has a Bit.ly preview add-on. Some Twitter apps, such as TweetDeck and Tweetie, also preview the URL before you click.

Security researcher Aviv Raff designated July 2009 as "A Month of Twitter Bugs," during which researchers are to disclose a new Twitter vulnerability each day. Citing previous efforts focused on browsers and on Apple Mac OS vulnerabilities, Raff says his goal is not to break Twitter but to improve it and to address all social networking flaws: "I hope that Twitter and other Web 2.0 API providers will work closely with their API consumers to develop more secure products." The first disclosed Twitter bug concerned cross-site scripting flaws in Bit.ly. Within hours of the disclosure, Bit.ly corrected them.

Follow Me, Please

A frequent goal of Twitterers is to build an audience; some people rate their profile a success if it has hundreds or even thousands of followers. A site called TwitterCut advertised that it would dramatically increase your base of followers--if you gave it your user name and password. Most security vendors deemed it a pay-per-click scam.

People who fell for the scam saw their Twitter accounts later used in the "Best Video" phishing attack, in which anyone who visited a link in the tweet wound up downloading a malicious PDF that then attempted to install a fake security product if the PC lacked the latest Adobe security update.

Gone Phishing

Most Twitter phishing attempts, however, are more straightforward. Twitter routinely notifies users of recent followers by e-mail, often with a link to the follower's profile. Recent phishing attacks spoofed that e-mail and held a link to a faux Twitter log-on page.

Another variation of the phishing scam sent out a tweet reading, "Hey, check out this funny blog about you." Clicking the URL took the victim to a fake page (at twitter.access-logins.com/login/). No matter how good the site looks, examine the URL, and think twice about entering your info--especially if you are already logged in to Twitter.

Bad guys have tried more-subtle tactics, too, such as the porn-name game. According to the game, to create the name you'll use during your adult-film career, you take the name of your first pet and combine it with the street you grew up on, your mother's maiden name, or the model of your car. Recognize those things? They're common security questions. By tweeting your answers, you could give away access to your Twitter account--or to your bank account.

Some of the emerging security rules for using Twitter are simply common sense. Just as you wouldn't leave a phone message saying you'll be out of town, don't tweet your vacation plans. And please don't share your location if you're a U.S. congressperson going on a confidential overseas trip. Just ask Representative Pete Hoekstra (R-MI), who tweeted earlier this year: "Just landed in Baghdad. I believe it may be [the] first time I've had [BlackBerry] service in Iraq."

Join the PC World newsletter!

Error: Please check your email address.

Tags securitysocial networkingtwitter

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert Vamosi

PC World (US online)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?