There is no question about the success of twitter, but the real-time nature of twitter brings some interesting security challenges to the surface.
First of all, many tweets contain shortened links where it is unclear what the “real” destination address is. You have no idea where you end up. There are countless examples where just the mere visit of a page leads to infection. In fact all exploit kits are designed to do so. One example is here: http://isc.sans.org/diary/Hit+by+MacDefender+Apple+Web+Security+name+your+Mac+FakeAV+here+/11053
The other problem is obviously the social problem. You follow someone on twitter because you are interested what they have to say (well that’s not really true, but anyway). So if they share a link, the click-through rate is pretty high. This in addition with the inability to determine where a link ends up with is a recipe for disaster.
Which brings me to the main point: The main security mechanism employed here is trust. I know the person I’m following and therefore I trust him/her and therefore any links are trusted as well. Seriously, what can go wrong?
The problem is that this opens up a whole new dimension of malware distribution. Typical ways are email (spam), drive-by-downloads, providing infected serial key generators to software that people are desperate not to buy a software they use, search-engine-poisoning, just to name a few. But all these are insignificant if I could manage to provide a malicious link (that nobody would detect as such) to millions of followers on twitter.
What would be the options?
- The hard way would be to start tweeting up until you have enough followers.
- It’s much easier to just compromize someone’s account and send a link to a malware (in shortened version obviously)
- Simon Pegg’s twitter account was compromized and a link to a malware pretending to be a screensaver was sent to his 1.2m followers (http://nakedsecurity.sophos.com/2011/06/26/simon-pegg-itwitter-hacked/). Obviously using a shortened URL
- You don’t even need to compromise an account at all!.
- Just start a fake story about someone and let him retweet (happened to Rafinha Bastos who send a link to a fake story about his death to his 2.4 million followers) – using a short URL service. The redirected site was down as it showed obvious signed of fraudulent behaviour.
- And of course LulzSec has apparently distributed a malicious program in their farewall message to its over 200,000 followers.
Additionally Twitter is the new way of distributing things in an insanely fast way that shouldn’t be accessible at all. For example, the source code for the notorious Zeus trojan was made public through Twitter.
So coming back to the main point of this blog. Twitter has to battle with 200 million tweets a day and can obviously not check every single link to see whether it is genuine. I trust they tell us that security is important, but every tweet is important to them in terms of growth. The short URL link providers obviously do what they can do (I tweeted about a recent phishing page they detected nicely here: http://twitpic.com/5i52g9). But they can obviously only block something they know is bad.
Trust is not and doesn’t work as a security measure.
Twitter uses a simple username/password authentication method that is convenient but broken. With the upcoming integration of twitter into iPhones and iPads, is this still enough? How many valid twitter logins were in the millions of username/passwords that were exposed in the last couple of weeks?
So be careful what links you click (always – not just in twitter).