Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

How safe is Twitter?

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Talk About It
View previous topic :: View next topic  
Author Message
Writer
Warrior


Joined: 28 Feb 2007
Last Visit: 05 Oct 2009
Posts: 57

PostPosted: Sat Aug 22, 2009 11:37 pm    Post subject: How safe is Twitter? Reply with quote

Hi everyone.

I'm not a big fan of social networking websites at all, but a few of my friends who I'm not able to see all the time have Twitter accounts and told me I should check them out to see what they're up to. They even recommended that I make an account so we can chat when they're not around.

What kind of jeopardy would I be putting my computer's safety in by going to Twitter and creating an account? My main concerns are basically the type of nasties that I and many others have come here to receive help with. I know not to click on links from people I don't know and I also have Noscript and Adblock Plus installed in Firefox in addition to anti virus/malware software. Can you get a virus/malware on Twitter just by viewing someone's, or only by clicking on a link which would direct you somewhere bad?
Back to top
View user's profile Send private message
aBenG
Warrior


Joined: 06 Apr 2006
Last Visit: 28 Feb 2012
Posts: 297
Location: Darkest UK

PostPosted: Sun Aug 23, 2009 3:31 am    Post subject: Reply with quote

Like yourself I'm not a user of these sites, but as far as I understand it the main dangers come from dodgy links and scams, not to mention people posting more personal information online than is sensible.

You can pick up drive-by malware from just about any site I think, especially if hackers have been busy. I doubt Twitter/Facebook is an exception there. As long as you have a well set up and up-to-date layered defence on your computer, and stay aware of links/scams etc. you should be reasonably safe though.

Adblock and NoScript are practically essentials these days, and a lot of people here use a good HIPS/Process Firewall as a last line of defence in case something slips by the AV/AS.
_________________
Inperfect.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Sun Aug 23, 2009 11:16 am    Post subject: Re: How safe is Twitter? Reply with quote

Writer wrote:
What kind of jeopardy would I be putting my computer's safety in by going to Twitter and creating an account?
[...]
Can you get a virus/malware on Twitter just by viewing someone's, or only by clicking on a link which would direct you somewhere bad?


Time and again, there have been several Twitter exploits exposed, which in theory could redirect visitors to iframed exploit sites and infest vulnerable victims with rather unwanted "goodies". Google reveals a lot of links:
http://www.google.com/search?q=twitter+exploits

Apart from technical exploits, there is always the risk that the desire to belong to a group may trick some people into doing things they normally would not do (if on their own). Social websites may lead to exposing details of one's life that not only can be found by future employers doing a research on a potential candidate, but also by criminals for launching highly targeted frauds. Once in the search engines, it is very hard to erase those traces later on:
http://en.wikipedia.org/wiki/Peer_pressure
http://en.wikipedia.org/wiki/Groupthink

And as an illustration how far it can get:
http://en.wikipedia.org/wiki/Asch_conformity_experiments
http://en.wikipedia.org/wiki/Milgram_experiment

This is, in my opinion, the greatest danger of such sites.

O.
Back to top
View user's profile Send private message
Nick
Site Admin


Joined: 27 Feb 2004
Last Visit: 15 Jul 2014
Posts: 3913
Location: California

PostPosted: Sat Aug 29, 2009 1:06 pm    Post subject: Reply with quote

Twitter is no more insecure than any other website. Email can expose you to more harm than using twitter. You can't add malware as an attachment or post it your own code on a twitter page.

You can set your profile to private so you can control who views your and tweets. If you are only following friends and not every possible person out there, there shouldn't be any problems. If you trust them to email you, then viewing their tweets. UNLIKE EMAIL, people can't send you posts and links if you aren't following them.

Since there's a 144 character limit, links aren't apparant to where they really go. You can easily get a preview of where the links go. LongUrl.org is one. You can get a Firefox extension to see the real link is just by hovering over the link. See it in action.

Also, you can follow sites like BBC, CNN or many other sites to get news as it happens. Discovery channel, your local PBS station and many other sites have twitter accounts. You can customiz it to what you want. It's far more than what Paris Hilton did yesterday. You can make it waht you want. If your profile is private, then you have all the control.

The uses outweigh any harm by a million to one.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Sun Aug 30, 2009 1:57 am    Post subject: Reply with quote

Nick wrote:
Twitter is no more insecure than any other website. Email can expose you to more harm than using twitter.


This statement is so ignorant and outright wrong that I really have a hard time keeping calm:
1. Websites on the Internet aren't all the same. Some use no server side scripting at all, others use server side scripting for few actions or maintain user and right management for an entire site. This alone should provide a reasonable person enough clues that with increasing code complexity, the potential source of errors should steadily increase. There might be privilege escalations, directory traversal errors, or flawed mechanisms (i.e. regular expressions) that are to serve as filter to prevent the injection of harmful code. Apart from the code itself, there may be third party add-ons, weak authentification mechanisms and errors caused by the users themselves like feeble minded passwords (password = username and similar things) that aren't checked for.

2. Email alone cannot do anything at all, because it is merely text based.
It does contain extensions that allow the conversion of binary content to a text compatible format (base64 encoding for example), but reading the files, as they pour in on a mail server, does not do any harm. Sane mail clients that interpret mail features (like attachments, forwarding, html interpretation), do not display remote images unless they are explicitly told so by the client. The days where activeX or javascript is executed by OutlookExpress and other sick Windows products are long gone, so this does not apply for present times.

Flaws in web based email clients are not a flaw in email, but the server side scripts (or more general, the "webmail provider") interpreting the mailbox' content (including loading javascript and remote images when they shouldn't), therefore they cannot serve as proof that email in itself, as you wrote it, may expose someone to more harm than any website. At most, email can incite the recipient to visit dodgy websites, but technically, this cannot be attributed to email, but to a layer 8 error (problem between the chair and the monitor) and a loaded website probing for several exploits to increase the likelihood of an infestation.

Quote:
You can set your profile to private so you can control who views your and tweets. If you are only following friends and not every possible person out there, there shouldn't be any problems. If you trust them to email you, then viewing their tweets. UNLIKE EMAIL, people can't send you posts and links if you aren't following them.


If Twitter does not by default uses a restrictive set of permissions, then it is not reasonably secure, because it follows a dangerous approach (allow everything so people aren't upset because something isn't working). By the same reasoning, one could argue that some insecure webmail client that defaults to running javascript and displaying remote images can be made secure by turning these features off. Apart from that, this is just not the way Twitter works. A social site is a place where people learn about others, seemingly interesting persons who they try to socialise with. Malicious users may well do a good job in covering up their intentions, just like spammers who do this for a living, know how to set up a fake content site to draw traffic to their affiliate links. Twitter allows setting links. What if one of those links seems reasonable because it comes from a "friend" and provides real content, because its payload is loaded in an iframe from a remote site? Apart from malicious links, Twitter has been subject to several exploits that enabled malicious users to take advantage of various things:

Quote:
Aviv Raff said the Twitter vulnerability could expose users to malware-hosting websites. "It can force people to follow you, which means all your twits will be showed in their Twitter home page, including potentially malicious links," Raff said.

http://www.pcadvisor.co.uk/news/index.cfm?newsid=13915

Quote:
It turns out that if someone decides to use a domain name as their twitter username, the e-mail you receive saying they are following you will generate their username as a link. Now obviously I am an internet savvy person and yet I still managed to accidentally click on this link, which directed me to a website. I most likely clicked the link out of habit; most follower notifications only have a single clickable link in the body of the e-mail, which directs you to the followers Twitter profile.

http://www.musingsforadarkenedroom.com/social-media/the-twitter-exploit-that-could-hurt-you/

This post is just a few days old:

Quote:
With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets - and they are logged in to Twitter - their account could be taken over.

http://www.davidnaylor.co.uk/twitter-exploit-still-works.html

To me, this looks like a lot more danger than your average website (including those providing email services).

Quote:
The uses outweigh any harm by a million to one.


Do you have any proof for this ratio by citing a credible source, or is this another statement people have to take as granted because you say so (aka. appeal to authority)?
It is my considered opinion that it makes you look funny, when you spout off content free statements about subjects you do not seem to have any expertise in and do not even bother to do a research as verification of your "statements". This, in my opinion, makes you look like someone who seems to be more led by showing off his "MVP", "SecurityTicker" and "Administrator" badge than by the desire to add reasonable arguments and valuable information to a discussion.

O.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Talk About It All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group