Last week social network "companion" Social Too announced that it had created an "automatic antivirus solution" for Twitter. I saw it retweeted multiple times, with apparent users excitement. I was terrified. Why? For one, it's not an antivirus solution.
The SocialToo "antivirus solution" promises to act as a middle man between Twitter and your inbox for direct message (DM) delivery. Users log into SocialToo and select "Send SocialToo DM Emails" and then a user's DMs are re-routed to SocialToo rather than emails going directly to the user. Then SocialToo service then promises only to pass through the alerts to your inbox that are presumably safe.
I talked to my friend Tom Eston, security researcher from SocialMediaSecurity.com, about this service and we agreed on a few things that are alarming about this service:
1. Again, this is not an antivirus product by any stretch of the imagination. It will not prevent malware (malicious files) from being installed on your computer like a traditional anti-virus (signature based) solution. It only applies to DMs.
2. Calling this an "anti-virus" product will give the general social network user a false sense of security. These are not "viruses" being sent via DM's...they are phishing links (or in the case of trending topic spam, links to malware). This might cause users to think that this will protect them from all threats on Twitter just because its labeled an "antivirus product".
3. Even calling this an anti-phishing solution is stretching it. There are possibilities of being phished via retweet spam or links from your friends on their feeds after their accounts are compromised. SocialToo's service will do nothing to protect against these threats.
4. Privacy issues! By giving SocialToo this permission you are thereby giving the service access to all of your DMs. Granted, sensitive information should not be sent through Twitter anyhow, but many users do it anyway (as evidenced, as Tom points out, by the many #dmfails witnessed). It's already bad enough that we trust third parties such as TweetDeck and other clients to view our DMs, but to give it to a service that included email into the equation just doubles the risk.
5. The biggest security risk in social media is the user itself. The SocialToo solution might make the phishing problem worse by desensitizing users. Especially since these issues that people are having stem far beyond Twitter (remember Koobface originated on Facebook). A service like TwiGUARD from Errata Security does a good job of creating awareness about the current threat level, but SocialToo almost paralyzes users. "Have we have gotten to a point where we have to have services like SocialToo do the nasty work of thinking for us?" Tom asks. "As the saying goes...'there is no patch for human stupidity.'"
6. The biggest threat against users is when phishing threats first go live and are most rampant, before word has spread that these attacks pose danger. Not being a firm with a host of security researchers monitoring logs, SocialToo will likely get the information once the threat is widespread, only helping users likely after the first victims have already become suspect. There is a risk that these DMs initially pass through their filters, especially since some of the threats seem to be innocuous at first.
Bottom line is that the service very well could work part of the time. It sounds like SocialToo is betting on it, considering that it is only free until November at which time it might be a paid service. But at the very least, SocialToo should call this product what it is: A filter that will only potentially protect you against threats via DM.