Tweet With Caution – Information leakage

by Dilawer Soomro

Twitter’s rise in popularity continues to baffle internet sceptics who confidently predicted that the simple concept of regularly broadcasting “What are you doing?” was too much of a gimmick to remain popular for very long. Dubbed the internet short messaging service (SMS). Twitter usage was expected to decline over time and end up as just another fad of the week. However, with more and more users and celebrities jumping on the tweeting bandwagon, the micro-blogging website has managed to silence even its harshest critics The fact that celebrity Ashton Kutcher’s internet duel with news giant CNN – a race to see who could amass one million followers first – managed to make headlines, shows the extent of Twitter penetration in the mainstream consciousness. And the fact that even Facebook was forced to revise its layout to incorporate Twitter style status updates is testament to its popularity.

Impact of Twitter
The applications of Twitter are no longer restricted to home users and celebrities -members of the US congress and even astronauts are tapping away their messages on the website. Many media outlets and banks have also started using this service to gain feedback and maintain direct contact with their customers. However, as with any popular social networking website that encourages users to share personal information about their lives and habits, the threat of information leakage and malicious usage is never far away. Amidst the constant bombardment of information from Twitter, its dark side is slowly emerging. The following are the most common security issues encountered by Twitter users.

Information leakage
The most direct risk of using Twitter is the same as that which is inherently present in all social networks – information leakage. Users should always be careful about their message content before clicking the Update’button because once the information is transferred over the internet, it is potentially viewable by anyone. Recently, Jonathan Ross, the famous British celebrity and one of Twitter’s most prominent users, accidentally sent out his personal e-mail address in a status update. Although it was removed shortly afterwards, the damage had already been done and his mbox was soon inundated with tan mails. Even deleting an accidentally posted tweet does not provide assurance as searching via Twitter’s advanced options or using a website like tweleted.com can recover a user’s deleted tweets for viewing.

Even people who are normally wary of internet scams and phishing websites do not exercise the same discretion when giving away highly sensitive personal information on Twitter, making themselves vulnerable to identity fraud. An attacker following Twitter status updates over time can aggregate an extremely accurate profile of his victim based on just his tweets. Identity theft is not the only threat; teenagers (who form a large part of the Twitter user base) must be educated about what kind ol information to give out over social networking websites and what should be withheld for their own personal safety. One teenager’s status updates conveyed the message that the parents were away for the weekend and they would be all alone in their home. This is not the sort of information that any prudent person would want to broadcast over the internet.

Weak password security
One would imagine that a website with such a huge user base would ensure that their internal technical staff would be well-versed with good security practices. However, this did not prove to be the case. In January, a young hacker by the handle of GMZ was able to compromise an account belonging to one of Twitter’s website administrators via a simple password breaking attack. Using the powerful privileges assigned to this ID, he reset the passwords of several high profile Twitter users such as Barack Obama and Britney Spears These stolen Twitter user IDs were then advertised on a hacking forum and soon enough fake status messages started appearing from these legitimate profiles. In some cases, hackers simply made vulgar comments from these pages, while others posted false messages requesting followers to click on a link where they would be socially engineered into handing over their passwords The dust from this incident had barely settled before another incident occurred in which administrative accounts at Twitter were accessed by an unauthorised person In this case, the manner of gaming access was much more devious and subtle. Instead of directly launching an attack on Twitter, the attacker first gained access to an administrator’s Yahoo! account by correctly guessing the answer to his secret question Once inside his mailbox, the attacker was able to retrieve the Twitter password by reading the staff member’s e-mails Upon gaining access, the attacker leaked out private information like e-mail addresses and mobile phone numbers of several high profile Twitter users.

The official stance from Twitter in both these instances was that they would be launching a full security review of all their access points to ensure user data is safeguarded in the future. Users were also requested to immediately change their passwords. However, the fact that basic level password attacks were able to create such havoc proves how a single weak link In the security chain can disrupt the overall security of an organisation. If Twitter had educated its internal staff to employ basic security practices when choosing their own passwords, the entire incident could have been avoided Additional authentication mechanisms should also have been required before gaining access to any administrative interfaces.

Phishing scams
Social networking sites have traditionally provided spammers and internet con artists an ideal environment to operate in – Twitter is no different. With no e-mail filters to bypass and a high degree of trust placed on incoming messages, Twitter’s phishing problem seems to be Increasing in direct proportion to its popularity.

The tried and tested techniques of using a fake website with a similar name continues. In May 2009, users started receiving Twitter postings requesting them to follow a URL which would silently redirect them to a fake Twitter login page maintained on the suspicious sounding twitter.com. An additional problem highlighted by security researchers, Sophos labs, is that Twitters users are in the habit of using URL shortening services such as tinyurl.com to concatenate long URLs which helps fit website links into Twitter’s 140-character message length. On the other hand, this does not show where a link is redirecting the user.

In June, attackers started exhibiting more originality by targeting Twitter users who were desperate to gain more followers and increase their popularity via the Twittertrain phishing website. Users started getting posts from their friends with the following message. ‘OMG WOW Im getting 100s of followers a day, Check out this site:’

Users following this link were greeted by an official looking website which requested their Twitter user IDs and passwords, promising them huge numbers of followers. Unfortunately, this turned out to be a phishing attempt and gullible Twitter users not only handed over their credentials, but their profiles were also used to further pass on this phishing attempt to their contacts.
There can be no doubt that Twitter is a wonderful tool and its applications extend far beyond mere social interaction. The information blitz of status updates can and has been used for coordinating geographically dispersed people in times of emergency and for providing timely updates in a crisis. Having said that, the fact remains that as more and more people start relying on Twitter updates for official news, a compromise of a high profile account or a news organisation can have disastrous consequences, potentially resulting in mass panic and damaged reputations. Any organisation looking to jump on the Twitter bandwagon in order to engage customers would do well to weigh the benefits with the expected security risks.

Dilawer Soomro runs the Techraze blog where he writes about latest gadgets, games, tips and social media and technology news.