Monday, September 20, 2010

Malicious URLs in Twitter

Social networks are for sure good for keeping in touch with friends and staying informed. However, they also are a terrific starting point for attacks. Malware such as koobface used it as a base for spreading, leveraging the fact that users seems to be not to be aware about threats on these platforms as they are for the ones on traditional e-mail or web, as showed on this recent paper
Twitter isn't immune from this trend. For malicious users is very easy to create tweets containing bad links, and these messages are very easy to spread, without any need to set up complicated infrastructure such as the ones required for e-mail spam. To fight this trend, the Twitter crew started filtering the links contained in all the tweets, routing them through a wepawet-like service, able to detect the malicious ones and prevent harm to be caused to the users who click on them  (see this blog post by Twitter for details) 
 However, vulnerabilities are hidden everywhere, and sometimes they are so evident that nobody thinks about them. Look at  this status message. There are no links in the tweet, therefore the twitter screening procedure doesn't even get triggered. However, a malicious link might be hidden somewhere else: each tweets contains a "via <someapp>" link, where <someapp> points to a link specified by the application developer. It turns out that these links are not checked, and therefore might point to malicious sites trying to exploit the user's browser. In the example tweet above, the application link has been set to a page identified by wepawet as malicious.
This flaw has been discovered by Manuel Egele and Thorsten Holz, two researchers of our group, during a project on Twitter security. We alerted the Twitter folks, and they reacted quickly. They ensured us that they started queuing the app links to their malicious URL detection system, therefore the issue should be fixed.
Always think twice before clicking on a link on any social network. If you are looking for a tool helping you in detecting malicious links before clicking on them, check longSHORE.