One of the most popular activities on the microblogging service Twitter is sharing links. However, this activity is also one of the most dangerous, too. Ever since Twitter gained in popularity, hackers and spammers have been using the service to direct traffic to their unsavory websites. For the end user, clicking on those bad links could result in, at best, an annoyance as they’re directed to some spammy website or, at worst, a full-on malware attack on their PC.
Today, it appears that Twitter is starting to do something about the problem. According to security firm f-secure, Twitter is now blocking malicious URLs from being posted to their service.
With the new malicious URL protection built into Twitter, you’re no longer able to posts links to known malicious websites. If you try to do so, you’ll receive a message reading: “Oops! Your tweet contained a URL to a known malware site!”
Since the company has not made any official announcement about the new protection, it’s unknown at this time if Twitter is using a particular service to provide the lookup capabilities for the malicious URL identification or if they are managing this process in-house. If we had to bet, though, we would go with the former. Maintaining a current “block list” for malicious websites would be a major undertaking for the startup. It’s more likely they’ve partnered with a security company of some sort to provide this service or are using a publicly available API, such as Google’s Safe Browsing API, which checks URLs against Google’s blacklist.
The need for this type of protection on Twitter is more than apparent. As of late, the service has been overrun by those wanting to use it for their own nefarious purposes. Besides just getting their links posted to Twitter itself, hackers have managed to get their malware links into Twitter’s trending topics, too. There have also been instances where the Twitter accounts of high-profile users, like Guy Kawasaki for instance, have been hacked and have then been used to push malware links out to their unsuspecting followers.
Good, But Not Good Enough
Unfortunately, there’s a major issue with how Twitter is blocking malicious URLs. They’re not parsing shortened links. Because of Twitter’s 140-character limit, URL-shortening services have become the de facto standard for link sharing on Twitter. This functionality is built into numerous third-party client applications as well as into the Twitter web interface itself. Shortening a malicious link would be by far the easiest way to post a dangerous malware-laden link to Twitter – and likely the method hackers would use anyway. If Twitter does not parse all the shortened links users attempt to post, then they don’t really have a good shot at keeping malware links off their service.
Luckily for Twitter end users, the default URL-shortening service, Bit.ly, began warning users of malware last month. Although it still permits users to shorten and post links to malicious sites using Twitter, anyone clicking on the link will receive a message: “Warning – this site has been flagged and may contain unsolicited content. The content of this web page appears to contain spam, or links to unsolicited or undesired sites.”
Well, at least that’s something.
While we’re glad to see Twitter taking steps to make their service a more secure place for sharing links, we hope they’ll soon start parsing URLs, too. Otherwise, this new protection won’t be that much help in the end.