The real security issue with Twitter
I like Twitter. I know it has it’s problems like broadcasting your location to all and sundry, which does results in some amusing tweets like this pair I spotted from Rich Mogull this morning
rmogull
Me. Wife. Local IPA. Beach. Dinner. Sunset. Did I mention Maui
rmogull
Don’t worry- we hve an alarm system, someone staying at our house, and am attack cat. She’s very cute.
but that is not what I am worried about. What I am concerned about, and what with Mr Mogull being the informed security guy he is I cannot use something from his Twitter stream as an example. So I will have to pick on a celebrity, say Stephen Fry.
stephenfry
I’m really not tweeting, book so achingly close to completion. But this is time sensitive so – http://tinyurl.com/y4avzcj – good cause x
Now Stephen where are you sending us with that link? Is it to eBay to bid on a signed football to help kids with leukaemia. Or perhaps a fake eBay site that is going to take our PayPal or credit card details. Or just take us to some real nasty site that is just going to offend us or try just about every drive by download technique until we get something?
Who knows. All we see is a hash at the end of the URL or perhaps if it is one of the services that supports it a nice human readable string that may make it look even safer.
This is the danger with tinyurl and other URL shortening services like Is.gd, Bit.ly, Twurl.nl, Tr.im, Sn.im and Cligs. The thing is that until you click you do not know where it goes. Some of the URL shortening services to try and check the resultant URL but there is only so much they can do, and as the user you do not get to choose which service you use you are reliant upon a link provided by someone else. Someone who in these days of abundant social media could be anyone.
One easy solution would be for all of the link shortening services to provide a simple lookup that returns the expanded hyperlink. I know bit.ly can do this as they provide the next piece in the puzzle which is a browser plug-in that allows the user to hover over the shortened link and see the exp[anded URL as well as details of who produced it. This should find itself engineered in some for into everything that could possibly consume a shortened URL. At least then we are back to the point we spent ages training users to get to, hovering over a link and checking in the status bar that it links to where they think it should.
I saw this http://unweary.com/2009/04/the-security-implications-of-url-shortening-services.html in the @Symantec twitter feed yesterday. Good analysis and explanation of the issue.