Twitter starts blocking some malicious URLs

By Emily Chung, CBCNews.ca

With Twitter's shortened URL's, you can't always be sure what you're going to get when you click through – a problem that has been exploited by cyber criminals to engage in phishing attacks and the distribution of malware on the microblogging site.

Finally, Twitter has started blocking links to known malware sites using an online list popular with security specialists, reported the weblog of the security company F-Secure Monday.

Anyone who tries to include such a link will get the message "Oops! Your tweet contained a URL to a known malware site!" and the tweet will not be posted.

Because Twitter allows posts no longer than 140 characters, it uses an online service (currently bit.ly) to automatically shorten web addresses to a string of letters and numbers. That has made it a lot easier for criminals to send unsuspecting Twitter users to sites that download malware to their computer, or sites disguised as legitimate sites where they might get their personal information stolen.

Ultimately, this has generated the wrong kind of publicity for the microblogging site in the form of headlines such as "Twitter: A Growing Security Minefield." Security blogger Aviv Raff even devoted the entire month of July to Twitter security issues, listing problems with bit.ly in his very first entry. The site's reputation wasn't improved by the fact that it was attacked by a worm written by a U.S. teenager in April and more recently, some of its own employees' accounts were hacked.

The new Twitter filter is certainly a good first step to address the risks, but security experts have so far given it lukewarm reviews. One noted that it could be easily deceived by removing the www or adding http:// to the URL and said the tool is "clearly still in development."

In addition, because only links to "known" malware sites are blocked, cautious users might still want to preview their URLs before they click, using web services such as Untiny or the Firefox bit.ly preview plugin.