Twitter: no-follow on all links, security problem untouched

Thu 27 August 2009 14:43, Bas van den Beld

Twitter: no-follow on all links, security problem untouched

Last week Twitter closed a 'loophole' for SEOs to get free no-follow links to their website. Twitter added rel=nofollow to links produced by their API. That meant links in lines like "1 minute ago from TweetDeck" were no longer followed to the application, in this case Tweetdeck.

For a while this loophole was a way for SEOs to get followed links from a very interesting source. You had to build a tool to use the Twitter API first, but that was not really the problem. After the loophole was closed so seemed the discussion on this matter. Until Dave Naylor and his team came along.

With a smashing blogpost Dave exposed another loophole in Twitter. He was 'playing around' with some API settings and found out that "If you change the link in the application settings, it affects all of the historical tweets generated by the application." With that you could easily get rid of the no-follow attribute, but not just that, Twitter is leaving a massive security issue untouched. And Twitter? They didn't do anything. But they did silently put no-follow links on every link on Twitter, except internal...

Dave showed us he could have easily gained access to any Twitter-users login cookie and therefore making hacking really easy. Dave gave us an example using a especcially set up account which got suspended the same day. You can see the example in this video Dave made:

The 'failure' in Twitter could easily be fixed by Twitter developers, but a day later they hadn't. That makes Twitter very vulnerable for hackers. Within minutes anyone with a little technical knowledge could be sending out tweets tricking followers in clicking on the links and taking over their accounts.

Dave_twitter_security_1

The opening Dave exposed is something we shouldn't underestimate. The taking over of accounts can be used for all sorts of malicious things. It is for example not unexpected if many use the same password for their Twitter account as for their GMail, hotmail or any other service.

In his second post Dave goes into more of the technical details. These are quite stunning. Whatever you type in the application box will appear on the end of tweets, and you can past html or even javascript.
Dave_twitter_security_2

Dave pointed at some ways to prevent you from getting your account being hacked:

  • If you’re not logged in to Twitter, there’s no opportunity to steal your details or impersonate you, however malicious code could still send you to other websites or otherwise annoy you, so it doesn’t completely fix the problem.
  • Unfollow anyone you don’t know or don’t trust that could be exploiting this. Who’s to say they’re not already stealing your details? If you don’t see their tweets they can’t harm you.
  • If you use something other than the Twitter website to view your tweets, perhaps one of the applications mentioned below, you should be fairly safe, though without looking at each one individually it’s hard to be sure. Still, you’re likely to be pretty safe this way.

Chances are that if you use a third party Twitter client you'll be allright, but be sure to use any of the popular ones. Using the Twitter website could be dangerous however. Be sure to read both Dave's posts on this on his blog to get the full story and how to.

Meanwhile Twitter doesn't seem to have responded to Dave's findings yet. They did however followed up on the no-follow issue. They decided not to stop at the no-following of the links below the tweet. Twitter added the no-follow attribute to ALL external links.

This move is a blow for linkbuilders who can no longer rely directly on Twitter, but even more important: Twitter seems to be closing the walls around them. It looks a lot like how Wikipedia works: internal links do matter, external links won't. How will SEO's handle this one? Dave, any suggestions? ;)


  • Comments (5)
  • Social Media
  • Tell-a-cowboy

Comments (5)

 

    • WIlliam Tucker

    Althought this was a serious issue... The 'outing' of the problem by Naylor is just link bait whoring at it's finest.

    TechCrunk was guilty of it last month or so...

    Do 27 aug 2009, 16:30


  • William, if that is so, it's a bit strange that TechCrunch wrote a big article about it yesterday giving Dave all te credits?

    Could you provide a link to back up what you're saying?

    Do 27 aug 2009, 17:12


    • William Tucker

    This was originally a nice little secret and a neat way of getting nofollow links from the Twitter domain.

    Then some big mouth blabbed and Twitter fixed the issue. If Twitter had not bothered to fix the nofollow link and let it ride - most people (inlcuding Naylor) would not have been so quick to expose this access point.

    As for TechCrunk, they write about anything... Yesterday they reported on a web site that added a 'Share This' bar to their web site... Please.

    Do 27 aug 2009, 17:32


  • Ah William, you must be talking about the no-follow link in the area below the tweet, a loophole which was closed a week ago... http://www.searchcowboys.com/seo/898

    This is a different issue resulting from that.

    Do 27 aug 2009, 17:44


  • @tucker where you the one dropping cookies out of twitter with that exploit then ? not many new about that XSS seem you did?

    Do 27 aug 2009, 17:47

Comment

  • HTML is not allowed. URLs are automatically clickable.
    * Email address is not shown



  • Twitter's new logo
  • Twitter in Plain English
  • Good - bye Twitter! - Miley Cyrus
  • Celebrity Twitter Overkill: SuperNews!
  • Twitter in Real Life
  • Twitter Ruined My Life!
  • MILEY CYRUS Good-bye Twitter?!?!?!
  • Twouble with Twitters: SuperNews!

Last Comments


Events

Last event

Bloggers

  • J-P De Clerck
    J-P De Clerck

    Profession: Customer-centric digi...

    Company: Conversionation

  • Sam Murray
    Sam Murray

    Profession: Senior Search Consultant

    Company: Verve Search

  • Susie Hood
    Susie Hood

    Profession: Head of Copywriting

    Company: Click Consult / SEO C...

  • Tom Bogaert
    Tom Bogaert

    Profession: Managing Partner

    Company: QueroMedia


Latest Videos

Border_top
Border_bottom

Columns

  • Lizette van der Laan
    Social Media Image

    Is it the real you, the witty you, the person who reads the most interesting articles, makes t...




Newsletter

Subscribe to SC Newsletter:


RSS Feed

Are you a bloggerFacebook


Search



© 2014 Searchcowboys.com - All Rights Reserved - All views and opinions expressed are those of the authors of Searchcowboys.

All trademarks, slogans, text or logo representation used or referred to in this website are the property of their respective owners. Sitemap