Twitter: no-follow on all links, security problem untouched

Thu 27 August 2009 14:43, Bas van den Beld

Twitter: no-follow on all links, security problem untouched

Last week Twitter closed a 'loophole' for SEOs to get free no-follow links to their website. Twitter added rel=nofollow to links produced by their API. That meant links in lines like "1 minute ago from TweetDeck" were no longer followed to the application, in this case Tweetdeck.

For a while this loophole was a way for SEOs to get followed links from a very interesting source. You had to build a tool to use the Twitter API first, but that was not really the problem. After the loophole was closed so seemed the discussion on this matter. Until Dave Naylor and his team came along.

With a smashing blogpost Dave exposed another loophole in Twitter. He was 'playing around' with some API settings and found out that "If you change the link in the application settings, it affects all of the historical tweets generated by the application." With that you could easily get rid of the no-follow attribute, but not just that, Twitter is leaving a massive security issue untouched. And Twitter? They didn't do anything. But they did silently put no-follow links on every link on Twitter, except internal...

Dave showed us he could have easily gained access to any Twitter-users login cookie and therefore making hacking really easy. Dave gave us an example using a especcially set up account which got suspended the same day. You can see the example in this video Dave made:

The 'failure' in Twitter could easily be fixed by Twitter developers, but a day later they hadn't. That makes Twitter very vulnerable for hackers. Within minutes anyone with a little technical knowledge could be sending out tweets tricking followers in clicking on the links and taking over their accounts.


The opening Dave exposed is something we shouldn't underestimate. The taking over of accounts can be used for all sorts of malicious things. It is for example not unexpected if many use the same password for their Twitter account as for their GMail, hotmail or any other service.

In his second post Dave goes into more of the technical details. These are quite stunning. Whatever you type in the application box will appear on the end of tweets, and you can past html or even javascript.

Dave pointed at some ways to prevent you from getting your account being hacked:

  • If you’re not logged in to Twitter, there’s no opportunity to steal your details or impersonate you, however malicious code could still send you to other websites or otherwise annoy you, so it doesn’t completely fix the problem.
  • Unfollow anyone you don’t know or don’t trust that could be exploiting this. Who’s to say they’re not already stealing your details? If you don’t see their tweets they can’t harm you.
  • If you use something other than the Twitter website to view your tweets, perhaps one of the applications mentioned below, you should be fairly safe, though without looking at each one individually it’s hard to be sure. Still, you’re likely to be pretty safe this way.

Chances are that if you use a third party Twitter client you'll be allright, but be sure to use any of the popular ones. Using the Twitter website could be dangerous however. Be sure to read both Dave's posts on this on his blog to get the full story and how to.

Meanwhile Twitter doesn't seem to have responded to Dave's findings yet. They did however followed up on the no-follow issue. They decided not to stop at the no-following of the links below the tweet. Twitter added the no-follow attribute to ALL external links.

This move is a blow for linkbuilders who can no longer rely directly on Twitter, but even more important: Twitter seems to be closing the walls around them. It looks a lot like how Wikipedia works: internal links do matter, external links won't. How will SEO's handle this one? Dave, any suggestions? ;)

  • Comments (7)
  • Social Media
  • Tell-a-cowboy

Comments (7)



  • HTML is not allowed. URLs are automatically clickable.
    * Email address is not shown

  • Twitter's new logo
  • Twitter in Plain English
  • Good - bye Twitter! - Miley Cyrus
  • Celebrity Twitter Overkill: SuperNews!
  • Twitter in Real Life
  • Twitter Ruined My Life!
  • MILEY CYRUS Good-bye Twitter?!?!?!
  • Twouble with Twitters: SuperNews!

Last Comments


Last event


  • J-P De Clerck
    J-P De Clerck

    Profession: Customer-centric digi...

    Company: Conversionation

  • Sam Murray
    Sam Murray

    Profession: Senior Search Consultant

    Company: Verve Search

  • Susie Hood
    Susie Hood

    Profession: Head of Copywriting

    Company: Click Consult / SEO C...

  • Tom Bogaert
    Tom Bogaert

    Profession: Managing Partner

    Company: QueroMedia

Latest Videos



  • Lizette van der Laan
    Social Media Image

    Is it the real you, the witty you, the person who reads the most interesting articles, makes t...


Subscribe to SC Newsletter:

Most Read

RSS Feed

Are you a bloggerFacebook


© 2016 - All Rights Reserved - All views and opinions expressed are those of the authors of Searchcowboys.

All trademarks, slogans, text or logo representation used or referred to in this website are the property of their respective owners. Sitemap