Plagued with what seems like constant attacks from hackers and spammers, Twitter has finally put a feature in place that blocks malicious URLs. However, the feature, which was introduced with little fanfare, is not exactly a rock solid defense.
When someone posts a link that is malicious, they get an immediate notification from Twitter which says “Oops! Your tweet contains an URL to a known malware site” and the post is deleted. While the feature is a good first step, it also falls victim to a popular and necessary feature on Twitter-URL shortening.
Thanks to Twitter’s insistence that tweets be no more than 140 characters long, services like TinyURL and Bit.ly has flourished. Unfortunately they also allow a hacker or spammer to easily get around the new block, which ignored malicious URLs that had been shortened using such services. In another blunder, the block also ignores malicious URLs if the “www” has been removed.
These are very serious flaws which effectively render the new block more or less useless. Almost no one on Twitter posts complete URLs, they use URL shortening services. For such a block to be truly effective, Twitter is going to have to either find a way for it to block malicious URLs hidden behind shortened URLs or better yet, remove the 140 character limit so such services no longer have to be relied on.
Twitter has so far refused to comment on the issue.