Few people would characterize the popular and influential microblogging service Twitter as "secure." Hack attacks on Twitter, and Twitter users, appear to be increasing (latest: Twitter hit with "Don't Click" clickjacking attack).
There are two potential security issues currently plaguing the popular social network: the popular use of link shorteners like TinyURL that lead users to unknown destinations, and a single login system that some hope will be fixed with the arrival of OAuth.
Don't click on that link! Whenever I see an interesting tweet followed by a TinyURL link, I click it. I'll admit it. I don't even consider the ramifications of my actions and often, I'm surprised by where I go.
But I don't think I'm alone. TinyURL is the most common link you'll see on Twitter, but it's also one of the easiest ways for a malicious user to expose you to issues ranging from phishing scams to malware installs.
Luckily, Twitter is aware of this issue, and according to its co-founder, Biz Stone, the company is working on ways to make linking safer on the site.
"User security is absolutely a concern and we're working to make the interface safer in that regard," Stone told ZDNet blogger Jennifer Leggio. "We are looking into other ways to display shared links, for example noting whether a link goes to a picture or a video or some other media element. While more a feature, this could help in addressing some of the risk with the URL redirection."
Ginx, a new third-party service (which ironically requires your Twitter login credential to function; see next section), automatically expands shortened URLs before you click on them.
But what about stopping the use of TinyURL, Bit.ly, and other link-shortening services altogether? So far, Twitter has not indicated that it wants to do that and, as some security experts claim, it shouldn't consider that option.
Peter Gregory, a professional security expert and blogger at the Securitas Operandi blog, said he believes TinyURL use "basically comes down to trust: do you trust the source of the link, or is the creator of the link luring you into visiting a malicious Web site that will attempt to implant malware on your computer?"
Both TinyURL and Bit.ly seem poised to answer that call.
Last year, TinyURL introduced a major improvement to the service that anyone using Twitter should use: a preview feature.
TinyURL's preview feature doesn't require registration and instead asks to place a cookie on your machine. Once you surf to the company's preview page, it asks if you want to enable a TinyURL preview. If so, you only need to click the link on the site and from that moment forward, any TinyURL link you click in Twitter or elsewhere across the Web won't immediately send you to the destination site. Instead, you will be redirected to a TinyURL preview page that allows you to examine the link and decide if you want to go to the respective page.
Bit.ly, another URL-shortening service, provides a Firefox plug-in that allows you to preview links. With both solutions running, the risk of being redirected to a malicious site should be cut down considerably, though not eliminated--nothing in link security is a sure thing.
But that's just one security issue Twitter and its users are forced to confront each day.… Read more