Twitter: no-follow on all links, security problem untouched

Thu 27 August 2009 14:43, Bas van den Beld

Last week Twitter closed a 'loophole' for SEOs to get free no-follow links to their website. Twitter added rel=nofollow to links produced by their API. That meant links in lines like "1 minute ago from TweetDeck" were no longer followed to the application, in this case Tweetdeck.

For a while this loophole was a way for SEOs to get followed links from a very interesting source. You had to build a tool to use the Twitter API first, but that was not really the problem. After the loophole was closed so seemed the discussion on this matter. Until Dave Naylor and his team came along.

With a smashing blogpost Dave exposed another loophole in Twitter. He was 'playing around' with some API settings and found out that "If you change the link in the application settings, it affects all of the historical tweets generated by the application." With that you could easily get rid of the no-follow attribute, but not just that, Twitter is leaving a massive security issue untouched. And Twitter? They didn't do anything. But they did silently put no-follow links on every link on Twitter, except internal...

Dave showed us he could have easily gained access to any Twitter-users login cookie and therefore making hacking really easy. Dave gave us an example using a especcially set up account which got suspended the same day. You can see the example in this video Dave made:

The 'failure' in Twitter could easily be fixed by Twitter developers, but a day later they hadn't. That makes Twitter very vulnerable for hackers. Within minutes anyone with a little technical knowledge could be sending out tweets tricking followers in clicking on the links and taking over their accounts.

The opening Dave exposed is something we shouldn't underestimate. The taking over of accounts can be used for all sorts of malicious things. It is for example not unexpected if many use the same password for their Twitter account as for their GMail, hotmail or any other service.

In his second post Dave goes into more of the technical details. These are quite stunning. Whatever you type in the application box will appear on the end of tweets, and you can past html or even javascript.

Dave pointed at some ways to prevent you from getting your account being hacked:

If you’re not logged in to Twitter, there’s no opportunity to steal your details or impersonate you, however malicious code could still send you to other websites or otherwise annoy you, so it doesn’t completely fix the problem.
Unfollow anyone you don’t know or don’t trust that could be exploiting this. Who’s to say they’re not already stealing your details? If you don’t see their tweets they can’t harm you.
If you use something other than the Twitter website to view your tweets, perhaps one of the applications mentioned below, you should be fairly safe, though without looking at each one individually it’s hard to be sure. Still, you’re likely to be pretty safe this way.

Chances are that if you use a third party Twitter client you'll be allright, but be sure to use any of the popular ones. Using the Twitter website could be dangerous however. Be sure to read both Dave's posts on this on his blog to get the full story and how to.

Meanwhile Twitter doesn't seem to have responded to Dave's findings yet. They did however followed up on the no-follow issue. They decided not to stop at the no-following of the links below the tweet. Twitter added the no-follow attribute to ALL external links.

This move is a blow for linkbuilders who can no longer rely directly on Twitter, but even more important: Twitter seems to be closing the walls around them. It looks a lot like how Wikipedia works: internal links do matter, external links won't. How will SEO's handle this one? Dave, any suggestions? ;)

<What would Google do? Go Interna...

Follow and listen to Searchcowbo...>

Comments (5)

- WIlliam Tucker
Althought this was a serious issue... The 'outing' of the problem by Naylor is just link bait whoring at it's finest.

TechCrunk was guilty of it last month or so...

Do 27 aug 2009, 16:30
- Bas van den Beld
- [website]
William, if that is so, it's a bit strange that TechCrunch wrote a big article about it yesterday giving Dave all te credits?

Could you provide a link to back up what you're saying?

Do 27 aug 2009, 17:12
- William Tucker
This was originally a nice little secret and a neat way of getting nofollow links from the Twitter domain.

Then some big mouth blabbed and Twitter fixed the issue. If Twitter had not bothered to fix the nofollow link and let it ride - most people (inlcuding Naylor) would not have been so quick to expose this access point.

As for TechCrunk, they write about anything... Yesterday they reported on a web site that added a 'Share This' bar to their web site... Please.

Do 27 aug 2009, 17:32
- Bas van den Beld
- [website]
Ah William, you must be talking about the no-follow link in the area below the tweet, a loophole which was closed a week ago... http://www.searchcowboys.com/seo/898

This is a different issue resulting from that.

Do 27 aug 2009, 17:44
- Dave naylor
- [website]
@tucker where you the one dropping cookies out of twitter with that exploit then ? not many new about that XSS seem you did?

Do 27 aug 2009, 17:47

Comment

Partnership between Yahoo and Tw...

Thu 25 Feb 2010, Editors

0 comments

Partnership between Yahoo and Twitter includes Yahoo! Search

Yahoo, the arch rival of Google is all set to make its website and search more compelling. Yahoo will now show a wider range of Twitter updates in its search results. ...... read more

Our Daily Search Pic(k): Finnish...

Mon 15 Feb 2010, Editors

0 comments

Our Daily Search Pic(k): Finnish Streetview humor

Like this Pic? Twitter it!. Full version on Flickr. Have any suggestions for our Daily Search Pic(k)? E-mail us or DM or message us on Twitter! ... read more

Our weekend reading list Februar...

Fri 12 Feb 2010, Editors

0 comments

Our weekend reading list February 6th - 12th

Every week Searchcowboys informes you about what were the hot topics of the week, both on Searchcowboys and on other places of the world wide web. Its my final week...... read more