Three Ways Twitter Security Fails
The popular micro-blogging platform Twitter continues its explosive growth. Twitter experienced a 900 percent increase in active users in the last year, according to a recent blog post from Biz Stone, the company's co-founder. People are increasingly using it to get breaking news updates, to collaborate with colleagues remotely, and connect with friends on an up-to-the-minute basis. Some businesses are using it as a new promotion and marketing tool.
Despite the popularity, Twitter still a lot to do when it comes to securing the platform. (See "3 Ways a Twitter Hack Can Hurt You.") Two security experts weighed in about three areas where Twitter poses some significant risks.
Twitter "Tweets" have a character limit of 141 characters. Many users enter urls that are too long and which are automatically truncated with a shortening service, such as TinyURL. Users can't tell where the link is going when they scroll over to it.
This makes it much easier for hackers to send out faulty or malicious links, according to Mike Murray, CISO at Foreground Security, a Florida-based security consultancy.
"With these new mediums, we've gone back to 1997 in terms of the way we act," said Murray. "When email first came out, everyone sent out forwards and all of this other stuff and everyone opened it. And we've spent the last ten years convincing people bad things can come from opening emails you don't trust. We are inoculated against that in email. We are not inoculated against that in Twitter and Facebook. We trust the people we talk to and that talk to us."
"We've been saying to people for ages: 'Be careful which links you click on and make sure it really is who it claims to be,'" said Graham Cluley, a senior technology consultant with UK-based security firm Sophos. "If you are clicking on something that is a tiny url, you don't know where you are going to end up. It is harder to check and reassure yourself about where you are really going."
Both experts agree it is important to educate Twitter users about the potential for malicious links (See: Social Networking Dangers Exposed). Instill in them that it is important to verify all of the Twitterers in their network as legitimate and consider the source before clicking on any urls.
"By now we have figured out the hygiene around email," said Murray. "If we can help users figure out that same hygiene around social networking, I think we will all be better off."
Making it too easy to "follow" users.
Many Twitter users will often follow anyone that follows them without question or concern, according to Cluley.
"We are seeing spammers create accounts and then follow thousands of people with these bogus accounts," said Cluely. "There are many people on Twitter who automatically follow back anyone who follows them without considering who on Earth this person is and whether they are a genuine account or not."
The problem is that this makes it possible for spammers to get credibility on the Twitter network. While it is possible to set up your account so that you approve all followers, not enough people actually do that. The more users a spammer gets in its network, the wider its reach, and potential for damage (See: Social Engineers Favorite Pick Up Lines).
Murray thinks the lack of control over following also brings up privacy concerns.
"That is both the power of Twitter and its biggest threat," said Murray. "Anyone can follow you and anyone can see what you are saying. And you don't know who anyone can be. It can be bad guys. It can be your competitors. By having them follow you, you have opened up that trusted medium to everyone. It is like having a phone conversation where you don't know who is listening in."
Murray advises users to treat their Twitter updates like a public conversation.
"Too many people treat it like they are having a private conversation," he said. "Treat everything you say as if you are posting it on your corporate or personal web site, because it is. It can be seen by anybody."
Lack of e-mail authentication.
When a new user sets up a Twitter account, that person is not required to prove their e-mail address is a legitimate address, which is a big problem, said Cluley.
"With lots of online web accounts, they will e-mail you to confirm registration. With Twitter, you don't have to do that," said Cluley. "You could put in firstname.lastname@example.org and it will never check. So it is very easy to create fake accounts."
That makes it even easier for spammers to create networks on Twitter, he said.
However, Murray thinks e-mail verification is one of the smaller problems with Twitter security.
"Yes, it allows impersonation and for people to set up fraudulent accounts. But people who are going to do those things are going to find ways to do it anyway. I can set up a fake Gmail account in five minutes and accomplish the same thing."