Network News

X My Profile
View More Activity

Twitter Tries to Tame Tainted Links

Faced with a recent surge in the number of malicious software programs using its micro-blogging service to spread, Twitter is making an effort to block users from posting links to known malicious Web sites.

The initiative, first noted in a blog posting by Finnish anti-virus maker F-Secure Corp., involves the use of Google's Safe Browsing program, which the search giant uses to prevent Internet users from visiting Web sites that Google's bots have flagged for installing malicious software.

"Our Safety and Security team has been using the Safebrowsing API for many months," Twitter co-founder Biz Stone wrote in a reply to an inquiry by Security Fix.

Web sites flagged in Google searches by the Safe Browsing bots are generally accompanied by a warning under the search result listing that reads: "This Site May Harm Your Computer." If you ignore that warning and click the link anyway, Google will try to prevent you from visiting the site.

tweettest3.JPG

If you try to Tweet a link to a site flagged by Google's Safe Browsing program, Twitter blocks the attempt, briefly displaying a message that reads: "Oops! Your tweet contained a URL to a known malware site!"

As others have noted, however, this approach is far from perfect. For one thing, Google's program indexes only a fraction of the malicious sites out there. What's more, Twitter's URL filtering treats the same malicious URL differently, depending on how it is tweeted.

For example, Twitter will allow me to tweet a link to y18032009.com, a site that has been identified by Google's Safe Browsing program as malicious. (Don't visit the site, but you can read Google's writeup on it here.) If, however, I add a "www." to the front of that Web address, Twitter's malware warning blocks my Tweet.

Unfortunately, Twitter fails to block that same URL if I run it through any one of the popular URL-shortening services out there. Hopefully, Twitter will work this out going forward, since a majority of the malware threats spreading via Twitter appear to have been disseminated via shortened URLs.

Alert readers may have noticed from the above image that my Twitter name is "briankrebs". Please feel free to follow me on Twitter!

By Brian Krebs  |  August 4, 2009; 4:32 PM ET
Categories:  From the Bunker , Safety Tips  | Tags: google, twitter, url shorteners  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Security Updates for iPhone, Adobe Reader
Next: Researchers: XML Security Flaws are Pervasive

Comments

Fortunately, when I Tweet, it is only to point my followers to great web pages or TV shows/movies on comcast.net or fancast.com. So in addition to Brian, you can follow my Twitter feeds @ comcastdotnet and fancastfan.
Brian, you are invited too:)

- Jim

Posted by: jbk123 | August 4, 2009 9:42 PM | Report abuse

Nice article. You are a good security writer Mr. Krebs. Not too simple, not too technical.

Posted by: Bitter_Bill | August 5, 2009 8:49 AM | Report abuse

Within a week of my setting up a Twitter acccount, I got more spam tweets than legitimate ones. I also got close to 35 obscene spam texts on my cell phone, because I was stupid enough to set up my cell phone for sending tweets. Goodby, and good riddance, Twitter. I should send them a bill for the costs of texts.

Posted by: WashingtonDame | August 5, 2009 11:04 AM | Report abuse

Brian, thanks for another important blog posting on security matters ! But frankly, I'd much rather follow your work here on your Washington Post blog, than on Twitter, so please don't abandon the former for the latter !...

Henri

Posted by: mhenriday | August 5, 2009 11:43 AM | Report abuse

Thanks for the heads up. I'm very careful to only post links to sites that I have been on and don't follow the obvious people who are scammers. If your curious check me out on twitter
http://twitter.com/cherry_LA
I'm more of a current events, movie, music and random opinions about life/liberty and love type of woman!

Cherry

Posted by: gabby_31 | August 5, 2009 2:05 PM | Report abuse

Couple of technical notes for those interested:

* After the malware warning is displayed, your entire tweet is discarded (the input field is blanked and reset) instead of the link being removed and the preceded text preserved.

* ftp://y18032009.com is permitted, and so is the IP address such as http://218.93.202.50 - meaning different protocols, IP as well as hostname is not blocked

So be aware that many backdoors exist to link to malware sites, assuming those sites use aliasing or open ports to infect your computer. As many do but certainly not all. Not trying to scare anyone, knowledge is power.

-Jim Goldbloom (twitter: jimgoldbloom)

Posted by: JimGoldbloom1 | August 5, 2009 2:10 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company