Skip to content
{ 2009 07 20 }

Web Security is Hard

Backstory: A friend asked me what privacy or security concerns are raised by services like Twitter. I got on a bit of a roll, so I decided to post it. To be clear, my main point here is that security on the web is really complicated, even for a service as “simple” as Twitter. These problems exist in any large web-based application.

There are two broad categories of issues here: problems that arise from the “legitimate” use of the service in unwise ways (generally privacy issues) and people taking illegitimate or unauthorized action through the service (generally security issues)

Some issues that can arise with people just posting to Twitter:

  1. Spam.
  2. It’s very easy to trick somebody to visiting a URL you control via Twitter, due to the use of link shorteners, and the culture of sharing links. Tricking people to visit sites they don’t know the provenance of is a frequent first step in attacks such as phishing or cross-site request forgery (XSRF).
  3. Impersonation (especially of celebrities)
  4. People inadvertently sharing too much information about themselves (leading to employers, family members, or criminals finding out more than they should).
  5. Other members of one’s social graph sharing more than they should about you (the Facebook equivalent of someone tagging you in photos you don’t want to be associated with).
  6. People being able to infer more than they should from your social graph alone (from my graph, you could guess where I live, where I work, which groups I’ve worked in at my employer, where I went to college, for starters…)

Twitter also has a number of security issues that almost all web applications are vulnerable to:

  1. As you mentioned, ‘phishing’ attacks which aim to steal people’s passwords. These are compounded by the fact that people tend to re-use passwords across services, so even if a non-Twitter password is compromised, this can often be leveraged into access to Twitter accounts.
  2. Worms use Facebook as a method of transmitting (send a copy of yourself to all your friends). Worms in the future will certainly broadcast themselves via Twitter. (ed: and probably already do.)
  3. Twitter has to be careful about cross-site scripting (XSS) and cross-site request forgery (XSRF), which are essentially ways for an attacker to take over your browser by posting malicious content to a third-party web service you’re viewing, such as Twitter.
Posted by harveyj on Monday, July 20, 2009, at 11:55 pm. Filed under Politics. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog.