The Twitter Exploit That COULD Hurt You

March 26th, 2009 by

This isn’t the first time I’ve brought up this potential exploit. I mentioned it briefly in my post The Rise and Fall of Twitter, but this is the first time I’ve seen the concern since, and because I so blindly fell into the trap again I feltt it was worthy enough to write about.

With Twitter going more mainstream it seems that everyone is jumping on the twitter bandwagon. The problem with this is more users means a greater opportunity to attack computers by the masses. What I experienced before, and again tonight, was not malicious, but it clearly opened my eyes to the opportunity.

It turns out that if someone decides to use a domain name as their twitter username, the e-mail you receive saying they are following you will generate their username as a link. Now obviously I am an internet savvy person and yet I still managed to accidentally click on this link, which directed me to a website. I most likely clicked the link out of habit; most follower notifications only have a single clickable link in the body of the e-mail, which directs you to the followers Twitter profile. I get a high volume of follower notifications each day, so I try to breeze through them as quickly as possible by clicking the link, seeing if the person is interesting enough to follow back, and then proceeding to the next e-mail. Do you see now where the potential for problems is? Below you will see the e-mail exactly as it appeared in my inbox.

Twitter Follower E-mail Notification

As you can see, I use Gmail, which could play a part in what I’m experiencing. I have no idea how any other e-mail client or provider acts with these kinds of requests, however if you know I’d love to hear from you.

Fortunately for me and my computer the username I clicked on didn’t link to a malicious site, instead it took me to, a social networking site that is being built for the Greater Orange County area. But as you can see had this been any other site I and my computer could have been exposed to just about anything.

This discovery leads me to think that maybe Twitter should consider restricting the use of domain names as a username. Obviously there are a ton of .com’s on Twitter already that aren’t using their domain as the username, so there are easy ways around it.

What do you think of this exploit? Do you think I’m just dumb and careless and that something like this shouldn’t be a concern, or do you feel this is a legitimate concern and something that could be exploited in the future?

More about:

Leave a Reply