Twitter Hijacking

I’m writing this post more in the way of a public awareness message than anything else, with the hope that at least it will help some people understand some of the risks they take and how they could easily avoid them – plus a bit of philosophising about the issue and basically blaming Twitter’s methodology for it.

Anyone who partakes in the usage of Twitter will probably have become aware of a distinct increase over the last couple of days of spam messages, mostly ones received as direct messages (private ones) from their followers. At best it’s just a little annoying as they seem to fall into two categories. The “you look silly on this website” and the “I’m having the best sex ever, find out how” variety. Obviously spam to entice people to click on the truncated attached link, and by the looks of things it’s been pretty successful.

This is important because although most of us can laugh these off, change our passwords and move on, if you happen to be a high profile person or a company with a specific corporate image to maintain, the throwbacks can be damaging if played correctly by competitors or adversaries.

How all this shit works:

Knocking about Twitter you pick up on people spitting out accusations of “someone’s hacked my password” and the like. Let’s be realistic here. There ain’t no spotty nerd in his bedroom running John the Ripper with Openwall’s wordlist against your account because if they were, your account would lock up anyway. Although no one seems to be pinning it on a specific cause, odds on, it’s a plain old fashioned cross site scripting (XSS) attack.

So as I’m aiming this post at the generally not so geeky crowd, here’s how it goes:

You are logged into your Twitter account in your web browser. You click on a link, it takes you to a dodgy site that runs a nasty bit of Javascript against your browser and hey presto, your Twitter account has been hijacked.

The remedy is simple, change your password and the world will once again become a better place, however we really shouldn’t need a remedy as we should, with a little bit of knowledge be able to protect ourselves a lot better, quite easily.

First up, the web browser. Some are good, some are shite. If you’re using Internet Explorer 6 then you may as well give up and your best option is to avoid Twitter all together or never ever click on a truncated link.

Some web browser come with in-built XSS preventative measures. If you like the Microsoft variety of browser then at least make sure you’re using IE8. Opera is also very good by default at protecting you, as is Firefox (I have no idea about the capabilities of Safari or Chrome as I don’t use them nor particularly care).

However, if you want to be completely safe, there is only really one option, disabling Javascript all together.

This is fairly easy in the settings of any browser but as so much on the World Wide Web depends on Javascript it will adversely affect your browsing, so you won’t be able to seen YouTube vids and some menus may disappear and the like. Obviously that’s probably a non-starter for most people so here’s the Penguin’s recommendation (which he uses himself).

Go here and download the Firefox web browser.

Then go here and type “NoScript” into the search box, click return and it’s the first result.

What you’ll end up with is something like this, a browser with a button with a little ‘S’ on it at the bottom. (big arrow):

screenshot of firefox with no script add on

When you first visit a site it will have Javascript deactivated by default so you’re safe. When you visit a site you know and trust, a simple click of the little ‘S’ brings up a list of the active Javascript for which you can choose to allow or not allow for that site. It takes a little getting used to when first starting out but as it remembers what you’ve allowed or chosen not to allow; after a week or so you’ll probably not notice it for most of your visited sites.

So there we go, the best way to stop spamming your mates about how good your sex life is or how they look funny on this or that website and it won’t cost a penny and you’ll probably have a much better web browser than the one you’ve got as a plus too.

Final note on security and browser, it’s a no-brainer to most technically astute people, but do check what version of the browser you’re using and see if there’s a newer one available. It’s not much harder than clicking the ‘help’ menu looking at ‘about’ noting the number and Googling for said browser to see if there’s a new version available.

On to the blame game now.

It’s Twitter’s fault, simple as. OK, I’m being mischievous. Being unkind, it’s actually the fault of people clicking on dodgy links and using crap web browsers but I’d like to pose a suppositon if I may.

For many years people have become savvy to the old e-mail from person pretending to be your bank, please go here and enter your details so we can validate you and empty your bank account of cash while we’re at it scams.

E-mail clients got better at detecting it as well but mostly people became aware that the e-mail they got from NatWest Bank with a link to probably wasn’t kosher. The hint was in the URL. (PS, I’ve not checked but if anyone actually has registered that domain, I am not specifically accusing you of fraud, it’s just and example). (Should also make clear I am not blaming or wishing to stigmatise the country of Nigeria nor its population but sadly a lot of these scams seem to come or pretend to come from there).

The problem with Twitter and it’s users inherent higher risk of being duped comes from a fundamental flaw/feature of how it works; the 140 character limit.

We know why it’s there and where it came from, it’s the heritage of text messaging mobile phone usage but it inherently applies a constriction on the number characters available and thus a desire to abbreviate.

URL shorteners like were relatively rare before the explosion in Twitter (and other such-like services) usage but they are now the default option for anyone wanting to link to a website on Twitter.

They do their best to cut out dodgy links but with their enormous usage, reality dictates that it’s a losing battle as there simply isn’t the resources available to them to check every link people create.

The best solution for Twitter would be to allow Tweets of more than 140 characters for those that include a URL link so that people can actually see what they’re clicking on, however whether they’d ever allow such a thing is anyone’s guess but it would go a long way to negating this issue.

In the mean time, security measures are best placed at the user level, hence why I’ve penned this post to spread a little awareness.

If you do use a Twitter client as opposed to the web interface you’ll be better protected (as long as you don’t also happen to be logged into Twitter on you browser as well). However if you want to maximise your security then the Firefox web browser with the NoScript addon is about as good as it gets.

Let’s hope this little post helps a few people not DM their friends about how great their sex life is or how funny they look on some site.

2 thoughts on “Twitter Hijacking

  1. For tinyurl I always have the preview sitched on, so that the link gets displayed in full, and you then have the choice of clicking.

    You can do this in too by the looks of it, with a Firefox add-on.

    • That’s a good suggestion too. I know some of the clients again have things like show url so people can see where they’re pointing. Would be good that more people are made aware of these things.

Comments are closed.