24 September 2009

Infecting you in 140 characters or less: why the Twitter Worm works

It's good to be concise when writing -- Twitter's brevity is a great thing. It can force you to write more thoughtfully.  Unfortunately, its simplicity can give a false sense of security.

The current Twitter Worm is sending DMs (Twitter direct messages) to people and including a link to a site that kinda-sorta looks like an official Twitter page. The message includes a link with the text "twitter" in it,  and it appears to be a message from a friend. It's enough to fool people into clicking on the link, and when they do, they are given what looks like a Twitter login screen. But when they enter their user name and password, what really has happened is that they've given up your password to criminals.

Look for more attacks like this to come, unfortunately.

Twitter's brevity has come with a price: opacity. Since people cram as much as they can into 140 characters, including links, they use URL shorteners like http://bit.ly.  URL shorteners do what their name says, but they obscure where the link really goes to.  This can make phishing and related attacks much easier. Phishers try to steal people's information, like passwords, by fooling them into thinking they're giving the information to a trusted party. The current Twitter Worm relies on people not reading the link carefully enough. With URL shorteners that don't have a "preview" function, you have no idea where the link is going. This makes it far too easy to trick people onto a fake site.

Twitter's simplicity comes with a price as well: misplaced trust. Generally speaking, Twitter seems like a likable, simple little program without a lot of moving parts. Its user interface is straightforward. People feel comfortable with it and therefore are willing to trust it.  This means people are also likely to trust messages that seem to come from friends or from Twitter itself. This again makes it easy to fool people.

So don't get fooled again by Twitter's brevity and simplicity. Inside those short, simple tweets there still can lurk thieves.


(PS: Here is an interesting explanation of just why Twitter has the 140-character limit in the first place. An accident of history, really....)