When I compiled my crowdsourced 2009 predictions earlier this month, several people shared with me the same forethought: URL redirection leveraged by phishers could create a bottoming out of sorts for Twitter. The concern is that masked URLs could lead to stolen data or drive-by-malware, making it too late for the poor user who clicks the link once he or she figure out what happened.
I'm uncertain as to why users are concerned about this threat more in 2009 than they were in 2008, nor am I certain why Twitter is getting singled out. I imagine part of it is because Twitter is starting to go more mainstream and early adopters of social networks tend to be more tech and security savvy than the general user. Regardless, social networks are starting to take this apparent threat more seriously with FriendFeed the furthest ahead, recently introducing a lauded security feature -- scrollover for redirected URLs. Now FriendFeed users can preview the URL they are about to click to gauge for themselves any apparent risk.
When I spoke with Twitter co-founder Biz Stone in June he told me, that the social network was concerned about URL redirection and was "looking into other ways to display shared links, for example noting whether a link goes to a picture or a video or some other media element." A month later, Twitter acquired Summize and turned it into Twitter Search, which now does, in fact, include a URL expansion option in its "search results" page. However, there is nothing yet on the Twitter Web site itself nor is there a way to mandate URL expansion through the many Twitter clients. I briefly caught up with Stone again yesterday, who told me that plans for increased security continues to be a work in progress.
"You can expect us to provide a better experience on the home page as well but I don't have an exact deploy date for you right now," he said.
But how much do these security features help with URL redirection anyway?
"The scrollover is only useful for users who are Internet savvy enough to recognize what may be a potentially malicious Web page from the URL itself," said Adam J. O'Donnell, Ph.D., director of emerging technology for Cloudmark and ZDNet security blogger. " If you look at it another way, providing scrollover URL reveals hasn't stopped phishing."
Web developer and computer programmer Shannon Whitley notes that Twitter pushing out more URL redirection security features might be incredibly complicated from a technology perspective, and somewhat fruitless in the long run.
Next: What about other social networks? -->
"The feedback mechanism is so tight on Twitter that you're likely to receive a hundred tweets warning you against clicking on a link for every one or two people that are hit by a phishing scam," he said. "Additionally, the scrollover would not be effective for anyone using a Twitter client. Therefore, the expanded link(s) would have to be added to the Twitter API and each client will have to implement the rollover as well. It sounds like a lot of work that will take quite a bit of time for a limited benefit."
Does the same apply to other social networks? Surprisingly, youngsters FriendFeed and Twitter are further ahead than the more established socnets on this issue:
- MySpace allows users to simply paste in a reduced URL and auto hyperlinks it, with no preview or scrollover.
- LinkedIn does the same in its status messages, minus the hyperlinking. It's included as text, making it harder for the site to monitor and impossible to preview.
- Facebook requires CAPTCHA verification when attempting to include a redirected URL, but they do not provide a preview or monitor the URLs.
FriendFeed and Twitter are, indeed, ahead of the pack, but O'Donnell notes that due to the flawed human element these sites also need to monitor what's being redirected.
"FriendFeed and Twitter, like any other content providers, should be checking to see if the URLs are pointing to either spam or malware and removing them from their content if they are doing so," he said.
Read more on the security risks potentially posed by URL direction -- and TinyURL's own accountability -- in a great blog post by Chris Merritt of Lumension Security.