Swiss security consultancy High-Tech Bridge made the discovery by performing the simple experiment of setting up a web server hosting ‘secret’ URLs for each one of 50 services it wanted to assess. It then performed a set of common actions for each of the services to see whether any of the firms tried to access these links.
By the end of the ten-day experiment, only six of the 50 services looked at had been ‘trapped’ following the links back to the server, twice by different Google services, and one each by bit.ly, Facebook, Formspring, and Twitter.
Two of these, Bit.ly and Goo.gl, are link shortening services which have legitimate reasons to follow added links but what about the other three? In Facebook and Twitter’s case, the link were inside private messages, while Google’s was a link being shared with a circle that had zero members.
All three are badly afflicted by phishing attacks on their users, and could claim to have legitimate reasons for following all links yet didn’t appear to check many other links that might generate similar security problems such as (in Google’s case) sending a link via the Talk application.
High-Tech Bridge was also careful to deter automatic link examination using a robots.txt exclusion file on its server, but only Twitter had paid attention to this.
The results of the experiment puzzled High-Tech Bridge CTO, Marsel Nizamutdinov.
“The four trapped social networks justify their activities by ‘automated verifications’. However, it is technically impossible to verify what is really going on and how the information obtained on the user-transmitted URLs is being used,” he said.
“Today, quite a lot of web applications omit authentication and rely on temporary or unpredictable URLs to hide some content and, when users transfer such URLs via social networks, they cannot be sure that their information will indeed remain confidential.”
It’s a valid point although some will see it as being of very little significance to the overwhelming majority of web users. Even those using temporary or secure links for personal material will probably feel untroubled; these days anyone with this need will surely be using URL authentication.
One might look turn the results around and wonder why the services examine so few links given the security problem presented by social media worms and phishing attacks.
High-Tech Bridge remains convinced that the results contain a small but important privacy warning.
“The term ‘spying’ is quite subjective here, but this can be definitely called monitoring. After, if the information obtained from such monitoring is being used ethically or not - nobody can say for sure,” said a company spokesperson.
Find your next job with techworld jobs