IDG News Service - Hoping to deal with a growing problem, Twitter has quietly introduced a feature to prevent users from posting links to malicious Web sites. But security experts say that it can be easily circumvented.
The feature was first noticed Monday by Mikko Hypponen, chief research officer with security company F-Secure. When someone tries to post a link to a malicious Web site, Twitter pops up a short notification saying "Oops! Your tweet contained a URL to a known malware site," and, after a few seconds, deletes the post.
Twitter is using Google Inc.'s Safe Browsing API to check for malicious links, a Google spokesman confirmed Monday.
F-Secure says it's recommended that Twitter start doing this because the site "is increasingly targeted by worms, spam and account hijacking," according to Hypponen's blog post. A month ago, technology entrepreneur Guy Kawasaki's account was misused to post a link to a malicious Web site. In recent weeks users have been hit with links to fake, and sometimes malicious, "rogue" security software.
Security experts said that while Twitter's filtering is a good first step, it still needs some work.
In tests, the feature blocked a URL that led to a phishing site, but it allowed the same link to post if it was shortened using services such as Tinyurl.com or Bit.ly. Because Twitter enforces a strict 140 character limit on each message, these URL shortening services are the most common way of posting links to Twitter.
The filter also permitted the phishing link when the "www" subdomain was stripped from the front of the URL.
Twitter did not return messages seeking comment.
"This is a common problem with this sort of filtering service," said Chris Boyd, director of malware research with FaceTime Security Labs.
However, even if Twitter isn't blocking malicious URLs when they've been shortened, users still get some protection. That's because some of these URL-shorteners use the Google's API themselves. Bit.ly, which is used to post more than half of all Twitter links, uses the API to block people from visiting malicious sites, for example.
Boyd said it will probably take Twitter a while to get its Web filtering up and running properly, "but even some protection is better than none."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts